security: Introduce SetSocketLabel

This API labels all sockets created until ClearSocketLabel is called in a way that a vm can access them (i.e., they are labeled with svirt_t based label in SELinux).
2025-03-20 07:59:00 +00:00 · 2011-08-26 09:39:32 +02:00 · 2011-08-26 09:39:32 +02:00 · 520d91f8bd
commit 520d91f8bd
parent 4c85d96f27
9 changed files with 95 additions and 0 deletions
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel;
 virSecurityManagerSetProcessFDLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
+virSecurityManagerSetSocketLabel;
 virSecurityManagerVerify;

 # sexpr.h
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@ -584,6 +584,13 @@ AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
    return 0;
 }

+static int
+AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                               virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 static int
 AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
@ -836,6 +843,7 @@ virSecurityDriver virAppArmorSecurityDriver = {
    AppArmorRestoreSecurityImageLabel,

    AppArmorSetSecurityDaemonSocketLabel,
+    AppArmorSetSecuritySocketLabel,
    AppArmorClearSecuritySocketLabel,

    AppArmorGenSecurityLabel,
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -674,6 +674,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 }


+static int
+virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                             virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
+
 static int
 virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = {
    virSecurityDACRestoreSecurityImageLabel,

    virSecurityDACSetDaemonSocketLabel,
+    virSecurityDACSetSocketLabel,
    virSecurityDACClearSocketLabel,

    virSecurityDACGenLabel,
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
                                                   virDomainDiskDefPtr disk);
 typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
                                                     virDomainObjPtr vm);
+typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
+                                                virDomainObjPtr vm);
 typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
                                                virDomainObjPtr vm);
 typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
@ -102,6 +104,7 @@ struct _virSecurityDriver {
    virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;

    virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
+    virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
    virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;

    virSecurityDomainGenLabel domainGenSecurityLabel;
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
    return -1;
 }

+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+                                     virDomainObjPtr vm)
+{
+    if (mgr->drv->domainSetSecuritySocketLabel)
+        return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
+
+    virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+    return -1;
+}
+
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm)
 {
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
                                        virDomainDiskDefPtr disk);
 int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
                                           virDomainObjPtr vm);
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+                                     virDomainObjPtr vm);
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm);
 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@ -59,6 +59,12 @@ static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT
    return 0;
 }

+static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                              virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                                virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = {
    virSecurityDomainRestoreImageLabelNop,

    virSecurityDomainSetDaemonSocketLabelNop,
+    virSecurityDomainSetSocketLabelNop,
    virSecurityDomainClearSocketLabelNop,

    virSecurityDomainGenLabelNop,
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -1136,6 +1136,43 @@ done:
    return rc;
 }

+static int
+SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
+                              virDomainObjPtr vm)
+{
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    int rc = -1;
+
+    if (secdef->label == NULL)
+        return 0;
+
+    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("security label driver mismatch: "
+                                 "'%s' model configured for domain, but "
+                                 "hypervisor driver is '%s'."),
+                               secdef->model, virSecurityManagerGetModel(mgr));
+        goto done;
+    }
+
+    VIR_DEBUG("Setting VM %s socket context %s",
+              vm->def->name, secdef->label);
+    if (setsockcreatecon(secdef->label) == -1) {
+        virReportSystemError(errno,
+                             _("unable to set socket security context '%s'"),
+                             secdef->label);
+        goto done;
+    }
+
+    rc = 0;
+
+done:
+    if (security_getenforce() != 1)
+        rc = 0;
+
+    return rc;
+}
+
 static int
 SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
                                virDomainObjPtr vm)
@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = {
    SELinuxRestoreSecurityImageLabel,

    SELinuxSetSecurityDaemonSocketLabel,
+    SELinuxSetSecuritySocketLabel,
    SELinuxClearSecuritySocketLabel,

    SELinuxGenSecurityLabel,
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@ -354,6 +354,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
 }


+static int
+virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
+                               virDomainObjPtr vm)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    int rc = 0;
+
+    if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
+        rc = -1;
+    if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
 static int
 virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
                                 virDomainObjPtr vm)
@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = {
    virSecurityStackRestoreSecurityImageLabel,

    virSecurityStackSetDaemonSocketLabel,
+    virSecurityStackSetSocketLabel,
    virSecurityStackClearSocketLabel,

    virSecurityStackGenLabel,