security: Set seclabels for pstore device

The acpi-erst backend for pstore device exposes a path in the host accessible to the guest and as such we must set seclabels on it to grant QEMU RW access. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Kristina Hanicova <khanicov@redhat.com>
2025-02-22 03:12:22 +00:00 · 2024-06-06 09:29:30 +02:00 · 2024-06-06 09:29:30 +02:00 · 9faa615384
commit 9faa615384
parent 3cfe4caa0a
3 changed files with 23 additions and 0 deletions
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -1995,6 +1995,10 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
        virSecurityDACRestoreFileLabel(mgr, def->os.slic_table) < 0)
        rc = -1;

+    if (def->pstore &&
+        virSecurityDACRestoreFileLabel(mgr, def->pstore->path) < 0)
+        rc = -1;
+
    return rc;
 }

@ -2240,6 +2244,12 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
                                   user, group, true) < 0)
        return -1;

+    if (def->pstore &&
+        virSecurityDACSetOwnership(mgr, NULL,
+                                   def->pstore->path,
+                                   user, group, true) < 0)
+        return -1;
+
    return 0;
 }

--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -2911,6 +2911,10 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
        virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, true) < 0)
        rc = -1;

+    if (def->pstore &&
+        virSecuritySELinuxRestoreFileLabel(mgr, def->pstore->path, true) < 0)
+        rc = -1;
+
    return rc;
 }

@ -3335,6 +3339,11 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
                                     data->content_context, true) < 0)
        return -1;

+    if (def->pstore &&
+        virSecuritySELinuxSetFilecon(mgr, def->pstore->path,
+                                     data->content_context, true) < 0)
+        return -1;
+
    return 0;
 }

--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -1002,6 +1002,10 @@ get_files(vahControl * ctl)
        if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
            goto cleanup;

+    if (ctl->def->pstore)
+        if (vah_add_file(&buf, ctl->def->pstore->path, "rw") != 0)
+            goto cleanup;
+
    if (ctl->def->os.loader && ctl->def->os.loader->path) {
        bool readonly = false;
        virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);