secdrivers: Relabel firmware config files

For the case where -fw_cfg uses a file, we need to set the seclabels on it to allow QEMU the access. While QEMU allows writing into the file (if specified on the command line), so far we are enabling reading only and thus we can use read only label (in case of SELinux). Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2024-07-31 14:07:16 +00:00 · 2020-06-02 20:56:09 +02:00 · 2020-06-02 20:56:09 +02:00 · d024a7da7a
commit d024a7da7a
parent 9ce32b0935
3 changed files with 112 additions and 0 deletions
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -1916,6 +1916,24 @@ virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED,
 }


+static int
+virSecurityDACRestoreSysinfoLabel(virSecurityManagerPtr mgr,
+                                  virSysinfoDefPtr def)
+{
+    size_t i;
+
+    for (i = 0; i < def->nfw_cfgs; i++) {
+        virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
+
+        if (f->file &&
+            virSecurityDACRestoreFileLabel(mgr, f->file) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
                              virDomainDefPtr def,
@ -1991,6 +2009,12 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
            rc = -1;
    }

+    for (i = 0; i < def->nsysinfo; i++) {
+        if (virSecurityDACRestoreSysinfoLabel(mgr,
+                                              def->sysinfo[i]) < 0)
+            rc = -1;
+    }
+
    if (def->os.loader && def->os.loader->nvram &&
        virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
        rc = -1;
@ -2094,6 +2118,27 @@ virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
 }


+static int
+virSecurityDACSetSysinfoLabel(virSecurityManagerPtr mgr,
+                              uid_t user,
+                              gid_t group,
+                              virSysinfoDefPtr def)
+{
+    size_t i;
+
+    for (i = 0; i < def->nfw_cfgs; i++) {
+        virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
+
+        if (f->file &&
+            virSecurityDACSetOwnership(mgr, NULL, f->file,
+                                       user, group, true) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
                          virDomainDefPtr def,
@ -2173,6 +2218,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
    if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
        return -1;

+    for (i = 0; i < def->nsysinfo; i++) {
+        if (virSecurityDACSetSysinfoLabel(mgr, user, group, def->sysinfo[i]) < 0)
+            return -1;
+    }
+
    if (def->os.loader && def->os.loader->nvram &&
        virSecurityDACSetOwnership(mgr, NULL,
                                   def->os.loader->nvram,
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -2720,6 +2720,24 @@ virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
 }


+static int
+virSecuritySELinuxRestoreSysinfoLabel(virSecurityManagerPtr mgr,
+                                      virSysinfoDefPtr def)
+{
+    size_t i;
+
+    for (i = 0; i < def->nfw_cfgs; i++) {
+        virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
+
+        if (f->file &&
+            virSecuritySELinuxRestoreFileLabel(mgr, f->file, true) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
                                  virDomainDefPtr def,
@ -2786,6 +2804,11 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
                                     mgr) < 0)
        rc = -1;

+    for (i = 0; i < def->nsysinfo; i++) {
+        if (virSecuritySELinuxRestoreSysinfoLabel(mgr, def->sysinfo[i]) < 0)
+            rc = -1;
+    }
+
    if (def->os.loader && def->os.loader->nvram &&
        virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) < 0)
        rc = -1;
@ -3123,6 +3146,26 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
 }


+static int
+virSecuritySELinuxSetSysinfoLabel(virSecurityManagerPtr mgr,
+                                  virSysinfoDefPtr def,
+                                  virSecuritySELinuxDataPtr data)
+{
+    size_t i;
+
+    for (i = 0; i < def->nfw_cfgs; i++) {
+        virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
+
+        if (f->file &&
+            virSecuritySELinuxSetFilecon(mgr, f->file,
+                                         data->content_context, true) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
                              virDomainDefPtr def,
@ -3194,6 +3237,13 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
                                     mgr) < 0)
        return -1;

+    for (i = 0; i < def->nsysinfo; i++) {
+        if (virSecuritySELinuxSetSysinfoLabel(mgr,
+                                              def->sysinfo[i],
+                                              data) < 0)
+            return -1;
+    }
+
    /* This is different than kernel or initrd. The nvram store
     * is really a disk, qemu can read and write to it. */
    if (def->os.loader && def->os.loader->nvram &&
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -1175,6 +1175,18 @@ get_files(vahControl * ctl)
        }
    }

+    for (i = 0; i < ctl->def->nsysinfo; i++) {
+        size_t j;
+
+        for (j = 0; j < ctl->def->sysinfo[i]->nfw_cfgs; j++) {
+            virSysinfoFWCfgDefPtr f = &ctl->def->sysinfo[i]->fw_cfgs[j];
+
+            if (f->file &&
+                vah_add_file(&buf, f->file, "r") != 0)
+                goto cleanup;
+        }
+    }
+
    for (i = 0; i < ctl->def->nshmems; i++) {
        virDomainShmemDef *shmem = ctl->def->shmems[i];
        /* explicit server paths can be on any model to overwrites defaults.