2009-03-03 10:06:49 +00:00
|
|
|
/*
|
2009-04-03 10:55:51 +00:00
|
|
|
* Copyright (C) 2008,2009 Red Hat, Inc.
|
2009-03-03 10:06:49 +00:00
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* Authors:
|
|
|
|
|
* James Morris <jmorris@namei.org>
|
2009-04-03 10:55:51 +00:00
|
|
|
* Dan Walsh <dwalsh@redhat.com>
|
2009-03-03 10:06:49 +00:00
|
|
|
*
|
|
|
|
|
* SELinux security driver.
|
|
|
|
|
*/
|
|
|
|
|
#include <config.h>
|
|
|
|
|
#include <selinux/selinux.h>
|
|
|
|
|
#include <selinux/context.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
|
2009-09-15 18:06:37 +00:00
|
|
|
#include "security_driver.h"
|
2009-03-03 10:06:49 +00:00
|
|
|
#include "security_selinux.h"
|
|
|
|
|
#include "virterror_internal.h"
|
|
|
|
|
#include "util.h"
|
|
|
|
|
#include "memory.h"
|
2009-07-03 10:26:37 +00:00
|
|
|
#include "logging.h"
|
2009-08-14 13:23:11 +00:00
|
|
|
#include "pci.h"
|
|
|
|
|
#include "hostusb.h"
|
2009-09-25 13:20:13 +00:00
|
|
|
#include "storage_file.h"
|
2009-03-03 15:18:24 +00:00
|
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_SECURITY
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static char default_domain_context[1024];
|
2009-07-03 10:26:37 +00:00
|
|
|
static char default_content_context[1024];
|
2009-03-03 10:06:49 +00:00
|
|
|
static char default_image_context[1024];
|
|
|
|
|
#define SECURITY_SELINUX_VOID_DOI "0"
|
|
|
|
|
#define SECURITY_SELINUX_NAME "selinux"
|
|
|
|
|
|
|
|
|
|
/* TODO
|
|
|
|
|
The data struct of used mcs should be replaced with a better data structure in the future
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
struct MCS {
|
|
|
|
|
char *mcs;
|
|
|
|
|
struct MCS *next;
|
|
|
|
|
};
|
|
|
|
|
static struct MCS *mcsList = NULL;
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
mcsAdd(const char *mcs)
|
|
|
|
|
{
|
|
|
|
|
struct MCS *ptr;
|
|
|
|
|
|
|
|
|
|
for (ptr = mcsList; ptr; ptr = ptr->next) {
|
2009-03-03 15:18:24 +00:00
|
|
|
if (STREQ(ptr->mcs, mcs))
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2009-03-03 15:18:24 +00:00
|
|
|
if (VIR_ALLOC(ptr) < 0)
|
|
|
|
|
return -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
ptr->mcs = strdup(mcs);
|
|
|
|
|
ptr->next = mcsList;
|
|
|
|
|
mcsList = ptr;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
mcsRemove(const char *mcs)
|
|
|
|
|
{
|
|
|
|
|
struct MCS *prevptr = NULL;
|
|
|
|
|
struct MCS *ptr = NULL;
|
|
|
|
|
|
|
|
|
|
for (ptr = mcsList; ptr; ptr = ptr->next) {
|
2009-03-03 15:18:24 +00:00
|
|
|
if (STREQ(ptr->mcs, mcs)) {
|
2009-03-03 10:06:49 +00:00
|
|
|
if (prevptr)
|
|
|
|
|
prevptr->next = ptr->next;
|
|
|
|
|
else {
|
|
|
|
|
mcsList = ptr->next;
|
|
|
|
|
}
|
|
|
|
|
free(ptr->mcs);
|
|
|
|
|
free(ptr);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
prevptr = ptr;
|
|
|
|
|
}
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static char *
|
|
|
|
|
SELinuxGenNewContext(const char *oldcontext, const char *mcs)
|
|
|
|
|
{
|
|
|
|
|
char *newcontext = NULL;
|
|
|
|
|
char *scontext = strdup(oldcontext);
|
|
|
|
|
if (!scontext) goto err;
|
|
|
|
|
context_t con = context_new(scontext);
|
|
|
|
|
if (!con) goto err;
|
|
|
|
|
context_range_set(con, mcs);
|
|
|
|
|
newcontext = strdup(context_str(con));
|
|
|
|
|
context_free(con);
|
|
|
|
|
err:
|
|
|
|
|
freecon(scontext);
|
|
|
|
|
return (newcontext);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxInitialize(virConnectPtr conn)
|
|
|
|
|
{
|
|
|
|
|
char *ptr = NULL;
|
|
|
|
|
int fd = 0;
|
|
|
|
|
|
|
|
|
|
fd = open(selinux_virtual_domain_context_path(), O_RDONLY);
|
|
|
|
|
if (fd < 0) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, errno,
|
|
|
|
|
_("cannot open SELinux virtual domain context file '%s'"),
|
|
|
|
|
selinux_virtual_domain_context_path());
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (saferead(fd, default_domain_context, sizeof(default_domain_context)) < 0) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, errno,
|
|
|
|
|
_("cannot read SELinux virtual domain context file %s"),
|
|
|
|
|
selinux_virtual_domain_context_path());
|
2009-03-03 10:06:49 +00:00
|
|
|
close(fd);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
close(fd);
|
|
|
|
|
|
|
|
|
|
ptr = strchrnul(default_domain_context, '\n');
|
|
|
|
|
*ptr = '\0';
|
|
|
|
|
|
|
|
|
|
if ((fd = open(selinux_virtual_image_context_path(), O_RDONLY)) < 0) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, errno,
|
|
|
|
|
_("cannot open SELinux virtual image context file %s"),
|
|
|
|
|
selinux_virtual_image_context_path());
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (saferead(fd, default_image_context, sizeof(default_image_context)) < 0) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, errno,
|
|
|
|
|
_("cannot read SELinux virtual image context file %s"),
|
|
|
|
|
selinux_virtual_image_context_path());
|
2009-03-03 10:06:49 +00:00
|
|
|
close(fd);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
close(fd);
|
|
|
|
|
|
|
|
|
|
ptr = strchrnul(default_image_context, '\n');
|
2009-07-03 10:26:37 +00:00
|
|
|
if (*ptr == '\n') {
|
|
|
|
|
*ptr = '\0';
|
|
|
|
|
strcpy(default_content_context, ptr+1);
|
|
|
|
|
ptr = strchrnul(default_content_context, '\n');
|
|
|
|
|
if (*ptr == '\n')
|
|
|
|
|
*ptr = '\0';
|
|
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2009-03-03 15:18:24 +00:00
|
|
|
SELinuxGenSecurityLabel(virConnectPtr conn,
|
|
|
|
|
virDomainObjPtr vm)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
|
|
|
|
int rc = -1;
|
|
|
|
|
char mcs[1024];
|
|
|
|
|
char *scontext = NULL;
|
|
|
|
|
int c1 = 0;
|
|
|
|
|
int c2 = 0;
|
2009-04-03 14:10:17 +00:00
|
|
|
|
|
|
|
|
if (vm->def->seclabel.label ||
|
|
|
|
|
vm->def->seclabel.model ||
|
|
|
|
|
vm->def->seclabel.imagelabel) {
|
|
|
|
|
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
"%s", _("security label already defined for VM"));
|
2009-03-03 10:06:49 +00:00
|
|
|
return rc;
|
2009-03-03 15:18:24 +00:00
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
c1 = virRandom(1024);
|
|
|
|
|
c2 = virRandom(1024);
|
|
|
|
|
|
|
|
|
|
if ( c1 == c2 ) {
|
|
|
|
|
sprintf(mcs, "s0:c%d", c1);
|
|
|
|
|
} else {
|
2009-03-03 15:18:24 +00:00
|
|
|
if ( c1 < c2 )
|
2009-03-03 10:06:49 +00:00
|
|
|
sprintf(mcs, "s0:c%d,c%d", c1, c2);
|
|
|
|
|
else
|
|
|
|
|
sprintf(mcs, "s0:c%d,c%d", c2, c1);
|
|
|
|
|
}
|
|
|
|
|
} while(mcsAdd(mcs) == -1);
|
|
|
|
|
|
|
|
|
|
vm->def->seclabel.label = SELinuxGenNewContext(default_domain_context, mcs);
|
2009-03-03 15:18:24 +00:00
|
|
|
if (! vm->def->seclabel.label) {
|
2009-10-27 16:20:22 +00:00
|
|
|
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
|
2009-03-03 15:18:24 +00:00
|
|
|
_("cannot generate selinux context for %s"), mcs);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
|
2009-03-03 15:18:24 +00:00
|
|
|
if (! vm->def->seclabel.imagelabel) {
|
2009-10-27 16:20:22 +00:00
|
|
|
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
|
2009-03-03 15:18:24 +00:00
|
|
|
_("cannot generate selinux context for %s"), mcs);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME);
|
2009-04-03 14:10:17 +00:00
|
|
|
if (!vm->def->seclabel.model) {
|
2009-03-03 15:18:24 +00:00
|
|
|
virReportOOMError(conn);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
|
|
|
|
|
rc = 0;
|
|
|
|
|
goto done;
|
|
|
|
|
err:
|
2009-03-03 15:18:24 +00:00
|
|
|
VIR_FREE(vm->def->seclabel.label);
|
|
|
|
|
VIR_FREE(vm->def->seclabel.imagelabel);
|
|
|
|
|
VIR_FREE(vm->def->seclabel.model);
|
2009-03-03 10:06:49 +00:00
|
|
|
done:
|
2009-03-03 15:18:24 +00:00
|
|
|
VIR_FREE(scontext);
|
2009-03-03 10:06:49 +00:00
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2009-06-12 11:38:50 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxReserveSecurityLabel(virConnectPtr conn,
|
|
|
|
|
virDomainObjPtr vm)
|
|
|
|
|
{
|
|
|
|
|
security_context_t pctx;
|
|
|
|
|
context_t ctx = NULL;
|
|
|
|
|
const char *mcs;
|
|
|
|
|
|
|
|
|
|
if (getpidcon(vm->pid, &pctx) == -1) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, errno,
|
|
|
|
|
_("unable to get PID %d security context"), vm->pid);
|
2009-06-12 11:38:50 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx = context_new(pctx);
|
|
|
|
|
VIR_FREE(pctx);
|
|
|
|
|
if (!ctx)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
mcs = context_range_get(ctx);
|
|
|
|
|
if (!mcs)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
mcsAdd(mcs);
|
|
|
|
|
|
|
|
|
|
context_free(ctx);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
context_free(ctx);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxSecurityDriverProbe(void)
|
|
|
|
|
{
|
|
|
|
|
return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Where will the DOI come from? SELinux configuration, or qemu
|
|
|
|
|
* configuration? For the moment, we'll just set it to "0".
|
|
|
|
|
*/
|
|
|
|
|
virSecurityDriverSetDOI(conn, drv, SECURITY_SELINUX_VOID_DOI);
|
|
|
|
|
return SELinuxInitialize(conn);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxGetSecurityLabel(virConnectPtr conn,
|
|
|
|
|
virDomainObjPtr vm,
|
|
|
|
|
virSecurityLabelPtr sec)
|
|
|
|
|
{
|
|
|
|
|
security_context_t ctx;
|
|
|
|
|
|
|
|
|
|
if (getpidcon(vm->pid, &ctx) == -1) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, errno,
|
|
|
|
|
_("unable to get PID %d security context"),
|
|
|
|
|
vm->pid);
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
|
2009-10-27 16:20:22 +00:00
|
|
|
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("security label exceeds "
|
2009-10-27 16:20:22 +00:00
|
|
|
"maximum length: %d"),
|
2009-03-03 10:06:49 +00:00
|
|
|
VIR_SECURITY_LABEL_BUFLEN - 1);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
strcpy(sec->label, (char *) ctx);
|
|
|
|
|
free(ctx);
|
|
|
|
|
|
|
|
|
|
sec->enforcing = security_getenforce();
|
|
|
|
|
if (sec->enforcing == -1) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, errno, "%s",
|
|
|
|
|
_("error calling security_getenforce()"));
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2009-03-17 11:35:40 +00:00
|
|
|
SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
2009-07-03 10:27:46 +00:00
|
|
|
security_context_t econ;
|
2009-03-03 10:06:49 +00:00
|
|
|
|
2009-07-03 10:26:37 +00:00
|
|
|
VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
|
|
|
|
|
|
2009-07-03 10:27:46 +00:00
|
|
|
if (setfilecon(path, tcon) < 0) {
|
2009-08-21 14:57:29 +00:00
|
|
|
int setfilecon_errno = errno;
|
|
|
|
|
|
2009-07-03 10:27:46 +00:00
|
|
|
if (getfilecon(path, &econ) >= 0) {
|
|
|
|
|
if (STREQ(tcon, econ)) {
|
|
|
|
|
freecon(econ);
|
|
|
|
|
/* It's alright, there's nothing to change anyway. */
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
freecon(econ);
|
|
|
|
|
}
|
2009-08-21 14:57:29 +00:00
|
|
|
|
|
|
|
|
/* if the error complaint is related to an image hosted on
|
2009-08-14 13:23:11 +00:00
|
|
|
* an nfs mount, or a usbfs/sysfs filesystem not supporting
|
|
|
|
|
* labelling, then just ignore it & hope for the best.
|
2009-09-22 09:42:06 +00:00
|
|
|
* The user hopefully set one of the necessary SELinux
|
2009-08-14 13:23:11 +00:00
|
|
|
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
|
2009-08-21 14:57:29 +00:00
|
|
|
*/
|
|
|
|
|
if (setfilecon_errno != EOPNOTSUPP) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, setfilecon_errno,
|
|
|
|
|
_("unable to set security context '%s' on '%s'"),
|
|
|
|
|
tcon, path);
|
2009-08-21 14:57:29 +00:00
|
|
|
if (security_getenforce() == 1)
|
|
|
|
|
return -1;
|
2009-08-28 17:44:43 +00:00
|
|
|
} else {
|
|
|
|
|
VIR_INFO("Setting security context '%s' on '%s' not supported",
|
|
|
|
|
tcon, path);
|
2009-08-21 14:57:29 +00:00
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2009-08-14 13:23:11 +00:00
|
|
|
SELinuxRestoreSecurityFileLabel(virConnectPtr conn,
|
|
|
|
|
const char *path)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
2009-03-17 11:35:40 +00:00
|
|
|
struct stat buf;
|
|
|
|
|
security_context_t fcon = NULL;
|
|
|
|
|
int rc = -1;
|
2009-04-01 10:26:22 +00:00
|
|
|
int err;
|
2009-03-17 11:35:40 +00:00
|
|
|
char *newpath = NULL;
|
2009-07-15 11:45:13 +00:00
|
|
|
|
2009-08-28 17:44:43 +00:00
|
|
|
VIR_INFO("Restoring SELinux context on '%s'", path);
|
|
|
|
|
|
2009-04-01 10:26:22 +00:00
|
|
|
if ((err = virFileResolveLink(path, &newpath)) < 0) {
|
|
|
|
|
virReportSystemError(conn, err,
|
|
|
|
|
_("cannot resolve symlink %s"), path);
|
|
|
|
|
goto err;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
2009-03-17 11:35:40 +00:00
|
|
|
|
2009-04-01 10:26:22 +00:00
|
|
|
if (stat(newpath, &buf) != 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
|
|
|
|
|
rc = SELinuxSetFilecon(conn, newpath, fcon);
|
2009-03-17 11:35:40 +00:00
|
|
|
}
|
|
|
|
|
err:
|
|
|
|
|
VIR_FREE(fcon);
|
|
|
|
|
VIR_FREE(newpath);
|
|
|
|
|
return rc;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
2009-08-14 13:23:11 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
|
2009-10-07 10:36:35 +00:00
|
|
|
virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
2009-08-14 13:23:11 +00:00
|
|
|
virDomainDiskDefPtr disk)
|
|
|
|
|
{
|
|
|
|
|
/* Don't restore labels on readoly/shared disks, because
|
|
|
|
|
* other VMs may still be accessing these
|
|
|
|
|
* Alternatively we could iterate over all running
|
|
|
|
|
* domains and try to figure out if it is in use, but
|
|
|
|
|
* this would not work for clustered filesystems, since
|
|
|
|
|
* we can't see running VMs using the file on other nodes
|
|
|
|
|
* Safest bet is thus to skip the restore step.
|
|
|
|
|
*/
|
|
|
|
|
if (disk->readonly || disk->shared)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (!disk->src)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return SELinuxRestoreSecurityFileLabel(conn, disk->src);
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxSetSecurityImageLabel(virConnectPtr conn,
|
|
|
|
|
virDomainObjPtr vm,
|
2009-03-17 11:35:40 +00:00
|
|
|
virDomainDiskDefPtr disk)
|
2009-03-03 10:06:49 +00:00
|
|
|
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
2009-09-25 13:20:13 +00:00
|
|
|
const char *path;
|
2009-03-03 10:06:49 +00:00
|
|
|
|
2009-07-03 10:29:09 +00:00
|
|
|
if (!disk->src)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2009-09-25 13:20:13 +00:00
|
|
|
path = disk->src;
|
|
|
|
|
do {
|
|
|
|
|
virStorageFileMetadata meta;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
memset(&meta, 0, sizeof(meta));
|
|
|
|
|
|
|
|
|
|
ret = virStorageFileGetMetadata(conn, path, &meta);
|
|
|
|
|
|
|
|
|
|
if (path != disk->src)
|
|
|
|
|
VIR_FREE(path);
|
|
|
|
|
path = NULL;
|
|
|
|
|
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
if (meta.backingStore != NULL &&
|
|
|
|
|
SELinuxSetFilecon(conn, meta.backingStore,
|
|
|
|
|
default_content_context) < 0) {
|
|
|
|
|
VIR_FREE(meta.backingStore);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
path = meta.backingStore;
|
|
|
|
|
} while (path != NULL);
|
|
|
|
|
|
2009-07-03 10:26:37 +00:00
|
|
|
if (disk->shared) {
|
|
|
|
|
return SELinuxSetFilecon(conn, disk->src, default_image_context);
|
|
|
|
|
} else if (disk->readonly) {
|
|
|
|
|
return SELinuxSetFilecon(conn, disk->src, default_content_context);
|
|
|
|
|
} else if (secdef->imagelabel) {
|
2009-03-17 11:35:40 +00:00
|
|
|
return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
|
2009-07-03 10:26:37 +00:00
|
|
|
}
|
2009-03-17 11:35:40 +00:00
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2009-08-14 13:23:11 +00:00
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxSetSecurityPCILabel(virConnectPtr conn,
|
|
|
|
|
pciDevice *dev ATTRIBUTE_UNUSED,
|
|
|
|
|
const char *file, void *opaque)
|
|
|
|
|
{
|
|
|
|
|
virDomainObjPtr vm = opaque;
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
|
|
|
|
return SELinuxSetFilecon(conn, file, secdef->imagelabel);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxSetSecurityUSBLabel(virConnectPtr conn,
|
|
|
|
|
usbDevice *dev ATTRIBUTE_UNUSED,
|
|
|
|
|
const char *file, void *opaque)
|
|
|
|
|
{
|
|
|
|
|
virDomainObjPtr vm = opaque;
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
|
|
|
|
return SELinuxSetFilecon(conn, file, secdef->imagelabel);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxSetSecurityHostdevLabel(virConnectPtr conn,
|
|
|
|
|
virDomainObjPtr vm,
|
|
|
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
|
|
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
switch (dev->source.subsys.type) {
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
|
|
|
|
|
if (dev->source.subsys.u.usb.bus && dev->source.subsys.u.usb.device) {
|
|
|
|
|
usbDevice *usb = usbGetDevice(conn,
|
|
|
|
|
dev->source.subsys.u.usb.bus,
|
|
|
|
|
dev->source.subsys.u.usb.device);
|
|
|
|
|
|
|
|
|
|
if (!usb)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
ret = usbDeviceFileIterate(conn, usb, SELinuxSetSecurityUSBLabel, vm);
|
|
|
|
|
usbFreeDevice(conn, usb);
|
|
|
|
|
} else {
|
|
|
|
|
/* XXX deal with product/vendor better */
|
|
|
|
|
ret = 0;
|
|
|
|
|
}
|
2009-09-30 17:37:03 +00:00
|
|
|
break;
|
2009-08-14 13:23:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
|
|
|
|
|
pciDevice *pci = pciGetDevice(conn,
|
|
|
|
|
dev->source.subsys.u.pci.domain,
|
|
|
|
|
dev->source.subsys.u.pci.bus,
|
|
|
|
|
dev->source.subsys.u.pci.slot,
|
|
|
|
|
dev->source.subsys.u.pci.function);
|
|
|
|
|
|
|
|
|
|
if (!pci)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
ret = pciDeviceFileIterate(conn, pci, SELinuxSetSecurityPCILabel, vm);
|
|
|
|
|
pciFreeDevice(conn, pci);
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxRestoreSecurityPCILabel(virConnectPtr conn,
|
|
|
|
|
pciDevice *dev ATTRIBUTE_UNUSED,
|
|
|
|
|
const char *file,
|
|
|
|
|
void *opaque ATTRIBUTE_UNUSED)
|
|
|
|
|
{
|
|
|
|
|
return SELinuxRestoreSecurityFileLabel(conn, file);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxRestoreSecurityUSBLabel(virConnectPtr conn,
|
|
|
|
|
usbDevice *dev ATTRIBUTE_UNUSED,
|
|
|
|
|
const char *file,
|
|
|
|
|
void *opaque ATTRIBUTE_UNUSED)
|
|
|
|
|
{
|
|
|
|
|
return SELinuxRestoreSecurityFileLabel(conn, file);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn,
|
|
|
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
|
|
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
switch (dev->source.subsys.type) {
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
|
|
|
|
|
usbDevice *usb = usbGetDevice(conn,
|
|
|
|
|
dev->source.subsys.u.usb.bus,
|
|
|
|
|
dev->source.subsys.u.usb.device);
|
|
|
|
|
|
|
|
|
|
if (!usb)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
ret = usbDeviceFileIterate(conn, usb, SELinuxRestoreSecurityUSBLabel, NULL);
|
|
|
|
|
usbFreeDevice(conn, usb);
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
|
|
|
|
|
pciDevice *pci = pciGetDevice(conn,
|
|
|
|
|
dev->source.subsys.u.pci.domain,
|
|
|
|
|
dev->source.subsys.u.pci.bus,
|
|
|
|
|
dev->source.subsys.u.pci.slot,
|
|
|
|
|
dev->source.subsys.u.pci.function);
|
|
|
|
|
|
|
|
|
|
if (!pci)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
ret = pciDeviceFileIterate(conn, pci, SELinuxRestoreSecurityPCILabel, NULL);
|
|
|
|
|
pciFreeDevice(conn, pci);
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxRestoreSecurityLabel(virConnectPtr conn,
|
|
|
|
|
virDomainObjPtr vm)
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
int i;
|
|
|
|
|
int rc = 0;
|
2009-08-28 17:44:43 +00:00
|
|
|
|
|
|
|
|
VIR_DEBUG("Restoring security label on %s", vm->def->name);
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
if (secdef->imagelabel) {
|
2009-08-14 13:23:11 +00:00
|
|
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
|
|
|
|
if (SELinuxRestoreSecurityHostdevLabel(conn, vm->def->hostdevs[i]) < 0)
|
|
|
|
|
rc = -1;
|
|
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
2009-10-07 10:36:35 +00:00
|
|
|
if (SELinuxRestoreSecurityImageLabel(conn, vm,
|
|
|
|
|
vm->def->disks[i]) < 0)
|
2009-03-03 10:06:49 +00:00
|
|
|
rc = -1;
|
|
|
|
|
}
|
|
|
|
|
VIR_FREE(secdef->model);
|
|
|
|
|
VIR_FREE(secdef->label);
|
|
|
|
|
context_t con = context_new(secdef->imagelabel);
|
|
|
|
|
if (con) {
|
|
|
|
|
mcsRemove(context_range_get(con));
|
|
|
|
|
context_free(con);
|
|
|
|
|
}
|
|
|
|
|
VIR_FREE(secdef->imagelabel);
|
|
|
|
|
}
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2009-04-03 10:55:51 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxSecurityVerify(virConnectPtr conn, virDomainDefPtr def)
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
|
|
|
|
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
|
|
|
|
|
if (security_check_context(secdef->label) != 0) {
|
|
|
|
|
virSecurityReportError(conn, VIR_ERR_XML_ERROR,
|
|
|
|
|
_("Invalid security label %s"), secdef->label);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxSetSecurityLabel(virConnectPtr conn,
|
|
|
|
|
virSecurityDriverPtr drv,
|
|
|
|
|
virDomainObjPtr vm)
|
|
|
|
|
{
|
|
|
|
|
/* TODO: verify DOI */
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (!STREQ(drv->name, secdef->model)) {
|
2009-10-27 16:20:22 +00:00
|
|
|
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("security label driver mismatch: "
|
|
|
|
|
"'%s' model configured for domain, but "
|
|
|
|
|
"hypervisor driver is '%s'."),
|
|
|
|
|
secdef->model, drv->name);
|
2009-03-03 10:06:49 +00:00
|
|
|
if (security_getenforce() == 1)
|
2009-08-28 17:44:43 +00:00
|
|
|
return -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (setexeccon(secdef->label) == -1) {
|
2009-08-28 17:44:43 +00:00
|
|
|
virReportSystemError(conn, errno,
|
|
|
|
|
_("unable to set security context '%s'"),
|
|
|
|
|
secdef->label);
|
2009-03-03 10:06:49 +00:00
|
|
|
if (security_getenforce() == 1)
|
2009-08-28 17:44:43 +00:00
|
|
|
return -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (secdef->imagelabel) {
|
|
|
|
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
2009-03-17 11:35:40 +00:00
|
|
|
if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
|
|
|
|
|
return -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
2009-08-14 13:23:11 +00:00
|
|
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
|
|
|
|
if (SELinuxSetSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
virSecurityDriver virSELinuxSecurityDriver = {
|
|
|
|
|
.name = SECURITY_SELINUX_NAME,
|
|
|
|
|
.probe = SELinuxSecurityDriverProbe,
|
|
|
|
|
.open = SELinuxSecurityDriverOpen,
|
2009-04-03 10:55:51 +00:00
|
|
|
.domainSecurityVerify = SELinuxSecurityVerify,
|
2009-03-03 10:06:49 +00:00
|
|
|
.domainSetSecurityImageLabel = SELinuxSetSecurityImageLabel,
|
|
|
|
|
.domainRestoreSecurityImageLabel = SELinuxRestoreSecurityImageLabel,
|
|
|
|
|
.domainGenSecurityLabel = SELinuxGenSecurityLabel,
|
2009-06-12 11:38:50 +00:00
|
|
|
.domainReserveSecurityLabel = SELinuxReserveSecurityLabel,
|
2009-03-03 10:06:49 +00:00
|
|
|
.domainGetSecurityLabel = SELinuxGetSecurityLabel,
|
|
|
|
|
.domainRestoreSecurityLabel = SELinuxRestoreSecurityLabel,
|
|
|
|
|
.domainSetSecurityLabel = SELinuxSetSecurityLabel,
|
2009-08-14 13:23:11 +00:00
|
|
|
.domainSetSecurityHostdevLabel = SELinuxSetSecurityHostdevLabel,
|
|
|
|
|
.domainRestoreSecurityHostdevLabel = SELinuxRestoreSecurityHostdevLabel,
|
2009-03-03 10:06:49 +00:00
|
|
|
};
|
