secdrivers: Relabel firmware config files

For the case where -fw_cfg uses a file, we need to set the
seclabels on it to allow QEMU the access. While QEMU allows
writing into the file (if specified on the command line), so far
we are enabling reading only and thus we can use read only label
(in case of SELinux).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Michal Privoznik 2020-06-02 20:56:09 +02:00
parent 9ce32b0935
commit d024a7da7a
3 changed files with 112 additions and 0 deletions

View File

@ -1916,6 +1916,24 @@ virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED,
}
static int
virSecurityDACRestoreSysinfoLabel(virSecurityManagerPtr mgr,
virSysinfoDefPtr def)
{
size_t i;
for (i = 0; i < def->nfw_cfgs; i++) {
virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
if (f->file &&
virSecurityDACRestoreFileLabel(mgr, f->file) < 0)
return -1;
}
return 0;
}
static int
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@ -1991,6 +2009,12 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
rc = -1;
}
for (i = 0; i < def->nsysinfo; i++) {
if (virSecurityDACRestoreSysinfoLabel(mgr,
def->sysinfo[i]) < 0)
rc = -1;
}
if (def->os.loader && def->os.loader->nvram &&
virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
rc = -1;
@ -2094,6 +2118,27 @@ virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
}
static int
virSecurityDACSetSysinfoLabel(virSecurityManagerPtr mgr,
uid_t user,
gid_t group,
virSysinfoDefPtr def)
{
size_t i;
for (i = 0; i < def->nfw_cfgs; i++) {
virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
if (f->file &&
virSecurityDACSetOwnership(mgr, NULL, f->file,
user, group, true) < 0)
return -1;
}
return 0;
}
static int
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@ -2173,6 +2218,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
return -1;
for (i = 0; i < def->nsysinfo; i++) {
if (virSecurityDACSetSysinfoLabel(mgr, user, group, def->sysinfo[i]) < 0)
return -1;
}
if (def->os.loader && def->os.loader->nvram &&
virSecurityDACSetOwnership(mgr, NULL,
def->os.loader->nvram,

View File

@ -2720,6 +2720,24 @@ virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
}
static int
virSecuritySELinuxRestoreSysinfoLabel(virSecurityManagerPtr mgr,
virSysinfoDefPtr def)
{
size_t i;
for (i = 0; i < def->nfw_cfgs; i++) {
virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
if (f->file &&
virSecuritySELinuxRestoreFileLabel(mgr, f->file, true) < 0)
return -1;
}
return 0;
}
static int
virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@ -2786,6 +2804,11 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
mgr) < 0)
rc = -1;
for (i = 0; i < def->nsysinfo; i++) {
if (virSecuritySELinuxRestoreSysinfoLabel(mgr, def->sysinfo[i]) < 0)
rc = -1;
}
if (def->os.loader && def->os.loader->nvram &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) < 0)
rc = -1;
@ -3123,6 +3146,26 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
}
static int
virSecuritySELinuxSetSysinfoLabel(virSecurityManagerPtr mgr,
virSysinfoDefPtr def,
virSecuritySELinuxDataPtr data)
{
size_t i;
for (i = 0; i < def->nfw_cfgs; i++) {
virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
if (f->file &&
virSecuritySELinuxSetFilecon(mgr, f->file,
data->content_context, true) < 0)
return -1;
}
return 0;
}
static int
virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@ -3194,6 +3237,13 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
mgr) < 0)
return -1;
for (i = 0; i < def->nsysinfo; i++) {
if (virSecuritySELinuxSetSysinfoLabel(mgr,
def->sysinfo[i],
data) < 0)
return -1;
}
/* This is different than kernel or initrd. The nvram store
* is really a disk, qemu can read and write to it. */
if (def->os.loader && def->os.loader->nvram &&

View File

@ -1175,6 +1175,18 @@ get_files(vahControl * ctl)
}
}
for (i = 0; i < ctl->def->nsysinfo; i++) {
size_t j;
for (j = 0; j < ctl->def->sysinfo[i]->nfw_cfgs; j++) {
virSysinfoFWCfgDefPtr f = &ctl->def->sysinfo[i]->fw_cfgs[j];
if (f->file &&
vah_add_file(&buf, f->file, "r") != 0)
goto cleanup;
}
}
for (i = 0; i < ctl->def->nshmems; i++) {
virDomainShmemDef *shmem = ctl->def->shmems[i];
/* explicit server paths can be on any model to overwrites defaults.