qemu: fix security labeling for attach/detach of char devices

Commit e93d844b90 was not enough to fix the permission denied
issue.  We need to apply security labels as well.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
Pavel Hrdina 2017-12-01 13:10:35 +01:00
parent 1b4f66ec80
commit 1c57eea362
3 changed files with 78 additions and 0 deletions

View File

@ -1815,6 +1815,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
bool chardevAttached = false;
bool teardowncgroup = false;
bool teardowndevice = false;
bool teardownlabel = false;
char *tlsAlias = NULL;
char *secAlias = NULL;
bool need_release = false;
@ -1835,6 +1836,10 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
goto cleanup;
teardowndevice = true;
if (qemuSecuritySetChardevLabel(driver, vm, chr) < 0)
goto cleanup;
teardownlabel = true;
if (qemuSetupChardevCgroup(vm, chr) < 0)
goto cleanup;
teardowncgroup = true;
@ -1877,6 +1882,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
qemuDomainReleaseDeviceAddress(vm, &chr->info, NULL);
if (teardowncgroup && qemuTeardownChardevCgroup(vm, chr) < 0)
VIR_WARN("Unable to remove chr device cgroup ACL on hotplug fail");
if (teardownlabel && qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
VIR_WARN("Unable to restore security label on char device");
if (teardowndevice && qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
VIR_WARN("Unable to remove chr device from /dev");
}
@ -4154,6 +4161,9 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
if (qemuTeardownChardevCgroup(vm, chr) < 0)
VIR_WARN("Failed to remove chr device cgroup ACL");
if (qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
VIR_WARN("Unable to restore security label on char device");
if (qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
VIR_WARN("Unable to remove chr device from /dev");

View File

@ -364,3 +364,63 @@ qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
int
qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr)
{
int ret = -1;
qemuDomainObjPrivatePtr priv = vm->privateData;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
if (virSecurityManagerSetChardevLabel(driver->securityManager,
vm->def,
chr->source,
priv->chardevStdioLogd) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
int
qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr)
{
int ret = -1;
qemuDomainObjPrivatePtr priv = vm->privateData;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
if (virSecurityManagerRestoreChardevLabel(driver->securityManager,
vm->def,
chr->source,
priv->chardevStdioLogd) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}

View File

@ -76,6 +76,14 @@ int qemuSecuritySetInputLabel(virDomainObjPtr vm,
int qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
virDomainInputDefPtr input);
int qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr);
int qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr);
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
* new APIs here. If an API can touch a /dev file add a proper wrapper instead.
*/