mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 06:05:27 +00:00
secdrivers: Relabel firmware config files
For the case where -fw_cfg uses a file, we need to set the seclabels on it to allow QEMU the access. While QEMU allows writing into the file (if specified on the command line), so far we are enabling reading only and thus we can use read only label (in case of SELinux). Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
9ce32b0935
commit
d024a7da7a
@ -1916,6 +1916,24 @@ virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED,
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
virSecurityDACRestoreSysinfoLabel(virSecurityManagerPtr mgr,
|
||||
virSysinfoDefPtr def)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < def->nfw_cfgs; i++) {
|
||||
virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
|
||||
|
||||
if (f->file &&
|
||||
virSecurityDACRestoreFileLabel(mgr, f->file) < 0)
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||
virDomainDefPtr def,
|
||||
@ -1991,6 +2009,12 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||
rc = -1;
|
||||
}
|
||||
|
||||
for (i = 0; i < def->nsysinfo; i++) {
|
||||
if (virSecurityDACRestoreSysinfoLabel(mgr,
|
||||
def->sysinfo[i]) < 0)
|
||||
rc = -1;
|
||||
}
|
||||
|
||||
if (def->os.loader && def->os.loader->nvram &&
|
||||
virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
|
||||
rc = -1;
|
||||
@ -2094,6 +2118,27 @@ virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
virSecurityDACSetSysinfoLabel(virSecurityManagerPtr mgr,
|
||||
uid_t user,
|
||||
gid_t group,
|
||||
virSysinfoDefPtr def)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < def->nfw_cfgs; i++) {
|
||||
virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
|
||||
|
||||
if (f->file &&
|
||||
virSecurityDACSetOwnership(mgr, NULL, f->file,
|
||||
user, group, true) < 0)
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
||||
virDomainDefPtr def,
|
||||
@ -2173,6 +2218,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
||||
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
|
||||
return -1;
|
||||
|
||||
for (i = 0; i < def->nsysinfo; i++) {
|
||||
if (virSecurityDACSetSysinfoLabel(mgr, user, group, def->sysinfo[i]) < 0)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (def->os.loader && def->os.loader->nvram &&
|
||||
virSecurityDACSetOwnership(mgr, NULL,
|
||||
def->os.loader->nvram,
|
||||
|
@ -2720,6 +2720,24 @@ virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
virSecuritySELinuxRestoreSysinfoLabel(virSecurityManagerPtr mgr,
|
||||
virSysinfoDefPtr def)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < def->nfw_cfgs; i++) {
|
||||
virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
|
||||
|
||||
if (f->file &&
|
||||
virSecuritySELinuxRestoreFileLabel(mgr, f->file, true) < 0)
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||
virDomainDefPtr def,
|
||||
@ -2786,6 +2804,11 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||
mgr) < 0)
|
||||
rc = -1;
|
||||
|
||||
for (i = 0; i < def->nsysinfo; i++) {
|
||||
if (virSecuritySELinuxRestoreSysinfoLabel(mgr, def->sysinfo[i]) < 0)
|
||||
rc = -1;
|
||||
}
|
||||
|
||||
if (def->os.loader && def->os.loader->nvram &&
|
||||
virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) < 0)
|
||||
rc = -1;
|
||||
@ -3123,6 +3146,26 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
virSecuritySELinuxSetSysinfoLabel(virSecurityManagerPtr mgr,
|
||||
virSysinfoDefPtr def,
|
||||
virSecuritySELinuxDataPtr data)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < def->nfw_cfgs; i++) {
|
||||
virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
|
||||
|
||||
if (f->file &&
|
||||
virSecuritySELinuxSetFilecon(mgr, f->file,
|
||||
data->content_context, true) < 0)
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
|
||||
virDomainDefPtr def,
|
||||
@ -3194,6 +3237,13 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
|
||||
mgr) < 0)
|
||||
return -1;
|
||||
|
||||
for (i = 0; i < def->nsysinfo; i++) {
|
||||
if (virSecuritySELinuxSetSysinfoLabel(mgr,
|
||||
def->sysinfo[i],
|
||||
data) < 0)
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* This is different than kernel or initrd. The nvram store
|
||||
* is really a disk, qemu can read and write to it. */
|
||||
if (def->os.loader && def->os.loader->nvram &&
|
||||
|
@ -1175,6 +1175,18 @@ get_files(vahControl * ctl)
|
||||
}
|
||||
}
|
||||
|
||||
for (i = 0; i < ctl->def->nsysinfo; i++) {
|
||||
size_t j;
|
||||
|
||||
for (j = 0; j < ctl->def->sysinfo[i]->nfw_cfgs; j++) {
|
||||
virSysinfoFWCfgDefPtr f = &ctl->def->sysinfo[i]->fw_cfgs[j];
|
||||
|
||||
if (f->file &&
|
||||
vah_add_file(&buf, f->file, "r") != 0)
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
for (i = 0; i < ctl->def->nshmems; i++) {
|
||||
virDomainShmemDef *shmem = ctl->def->shmems[i];
|
||||
/* explicit server paths can be on any model to overwrites defaults.
|
||||
|
Loading…
Reference in New Issue
Block a user