smartcard: enable SELinux support

* src/security/security_selinux.c (SELinuxRestoreSecuritySmartcardCallback) (SELinuxSetSecuritySmartcardCallback): New helper functions. (SELinuxRestoreSecurityAllLabel, SELinuxSetSecurityAllLabel): Use them.
2025-03-07 17:28:15 +00:00 · 2011-01-14 12:17:17 -07:00 · 2011-01-14 12:17:17 -07:00 · 32e52134ff
commit 32e52134ff
parent 7a2f29e4f9
1 changed files with 76 additions and 0 deletions
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -808,6 +808,38 @@ SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 }


+static int
+SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+                                        virDomainSmartcardDefPtr dev,
+                                        void *opaque)
+{
+    virDomainObjPtr vm = opaque;
+    const char *database;
+
+    switch (dev->type) {
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+        break;
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+        database = dev->data.cert.database;
+        if (!database)
+            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+        return SELinuxRestoreSecurityFileLabel(database);
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+        return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
+
+    default:
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("unknown smartcard type %d"),
+                               dev->type);
+        return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                               virDomainObjPtr vm,
@ -842,6 +874,12 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                               vm) < 0)
        rc = -1;

+    if (virDomainSmartcardDefForeach(vm->def,
+                                     false,
+                                     SELinuxRestoreSecuritySmartcardCallback,
+                                     vm) < 0)
+        rc = -1;
+
    if (vm->def->os.kernel &&
        SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
        rc = -1;
@ -1073,6 +1111,38 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 }


+static int
+SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+                                    virDomainSmartcardDefPtr dev,
+                                    void *opaque)
+{
+    virDomainObjPtr vm = opaque;
+    const char *database;
+
+    switch (dev->type) {
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+        break;
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+        database = dev->data.cert.database;
+        if (!database)
+            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+        return SELinuxSetFilecon(database, default_content_context);
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+        return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
+
+    default:
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("unknown smartcard type %d"),
+                               dev->type);
+        return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                           virDomainObjPtr vm,
@ -1108,6 +1178,12 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                               vm) < 0)
        return -1;

+    if (virDomainSmartcardDefForeach(vm->def,
+                                     true,
+                                     SELinuxSetSecuritySmartcardCallback,
+                                     vm) < 0)
+        return -1;
+
    if (vm->def->os.kernel &&
        SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
        return -1;