mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-30 13:37:17 +00:00
security: dac: Relabel /dev/sev in the namespace
The default permissions (0600 root:root) are of no use to the qemu process so we need to change the owner to qemu iff running with namespaces. Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
6fd4c8f878
commit
17f6a257f1
@ -48,6 +48,7 @@
|
|||||||
VIR_LOG_INIT("security.security_dac");
|
VIR_LOG_INIT("security.security_dac");
|
||||||
|
|
||||||
#define SECURITY_DAC_NAME "dac"
|
#define SECURITY_DAC_NAME "dac"
|
||||||
|
#define DEV_SEV "/dev/sev"
|
||||||
|
|
||||||
typedef struct _virSecurityDACData virSecurityDACData;
|
typedef struct _virSecurityDACData virSecurityDACData;
|
||||||
typedef virSecurityDACData *virSecurityDACDataPtr;
|
typedef virSecurityDACData *virSecurityDACDataPtr;
|
||||||
@ -1676,6 +1677,16 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
|
virDomainDefPtr def ATTRIBUTE_UNUSED)
|
||||||
|
{
|
||||||
|
/* we only label /dev/sev when running with namespaces, so we don't need to
|
||||||
|
* restore anything */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
@ -1746,6 +1757,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
|||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (def->sev) {
|
||||||
|
if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
|
||||||
|
rc = -1;
|
||||||
|
}
|
||||||
|
|
||||||
if (def->os.loader && def->os.loader->nvram &&
|
if (def->os.loader && def->os.loader->nvram &&
|
||||||
virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
|
virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
@ -1819,6 +1835,36 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr def)
|
||||||
|
{
|
||||||
|
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
virSecurityLabelDefPtr seclabel;
|
||||||
|
uid_t user;
|
||||||
|
gid_t group;
|
||||||
|
|
||||||
|
/* Skip chowning /dev/sev if namespaces are disabled as we'd significantly
|
||||||
|
* increase the chance of a DOS attack on SEV
|
||||||
|
*/
|
||||||
|
if (!priv->mountNamespace)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
|
||||||
|
if (seclabel && !seclabel->relabel)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
if (virSecurityDACSetOwnership(mgr, NULL, DEV_SEV,
|
||||||
|
user, group, false) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
@ -1888,6 +1934,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (def->sev) {
|
||||||
|
if (virSecurityDACSetSEVLabel(mgr, def) < 0)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
|
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user