External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-03 03:25:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: label the evdev for input device passthrough

Browse Source 
Add functions for setting and restoring the label of input devices
to DAC and SELinux drivers.

https://bugzilla.redhat.com/show_bug.cgi?id=1231114
This commit is contained in:
Ján Tomko 2015-11-20 08:25:41 +01:00
parent 1a538a07c7
commit d5aba1a4d9
2 changed files with 142 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
src/security/security_dac.c
View File

@ -1012,6 +1012,66 @@ virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr,
} }
static int
virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainInputDefPtr input)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDefPtr seclabel;
int ret = -1;
uid_t user;
gid_t group;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
if (seclabel && !seclabel->relabel)
return 0;
switch ((virDomainInputType) input->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
return -1;
ret = virSecurityDACSetOwnership(priv, NULL, input->source.evdev, user, group);
break;
case VIR_DOMAIN_INPUT_TYPE_MOUSE:
case VIR_DOMAIN_INPUT_TYPE_TABLET:
case VIR_DOMAIN_INPUT_TYPE_KBD:
case VIR_DOMAIN_INPUT_TYPE_LAST:
ret = 0;
break;
}
return ret;
}
static int
virSecurityDACRestoreInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainInputDefPtr input)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int ret = -1;
switch ((virDomainInputType) input->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
ret = virSecurityDACRestoreSecurityFileLabel(priv, input->source.evdev);
break;
case VIR_DOMAIN_INPUT_TYPE_MOUSE:
case VIR_DOMAIN_INPUT_TYPE_TABLET:
case VIR_DOMAIN_INPUT_TYPE_KBD:
case VIR_DOMAIN_INPUT_TYPE_LAST:
ret = 0;
break;
}
return ret;
}
static int static int
virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
@ -1037,6 +1097,12 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
NULL) < 0) NULL) < 0)
rc = -1; rc = -1;
} }
for (i = 0; i < def->ninputs; i++) {
if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
rc = -1;
}
for (i = 0; i < def->ndisks; i++) { for (i = 0; i < def->ndisks; i++) {
if (virSecurityDACRestoreSecurityImageLabelInt(mgr, if (virSecurityDACRestoreSecurityImageLabelInt(mgr,
def, def,
@ -1114,6 +1180,12 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
def->disks[i]) < 0) def->disks[i]) < 0)
return -1; return -1;
} }
for (i = 0; i < def->ninputs; i++) {
if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
return -1;
}
for (i = 0; i < def->nhostdevs; i++) { for (i = 0; i < def->nhostdevs; i++) {
if (virSecurityDACSetSecurityHostdevLabel(mgr, if (virSecurityDACSetSecurityHostdevLabel(mgr,
def, def,

70
src/security/security_selinux.c
View File

@ -1055,6 +1055,64 @@ virSecuritySELinuxRestoreSecurityFileLabel(virSecurityManagerPtr mgr,
} }
static int
virSecuritySELinuxSetInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainInputDefPtr input)
{
virSecurityLabelDefPtr seclabel;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL)
return 0;
switch ((virDomainInputType) input->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
if (virSecuritySELinuxSetFilecon(mgr, input->source.evdev,
seclabel->imagelabel) < 0)
return -1;
break;
case VIR_DOMAIN_INPUT_TYPE_MOUSE:
case VIR_DOMAIN_INPUT_TYPE_TABLET:
case VIR_DOMAIN_INPUT_TYPE_KBD:
case VIR_DOMAIN_INPUT_TYPE_LAST:
break;
}
return 0;
}
static int
virSecuritySELinuxRestoreInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainInputDefPtr input)
{
int rc = 0;
virSecurityLabelDefPtr seclabel;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL)
return 0;
switch ((virDomainInputType) input->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
rc = virSecuritySELinuxRestoreSecurityFileLabel(mgr,
input->source.evdev);
break;
case VIR_DOMAIN_INPUT_TYPE_MOUSE:
case VIR_DOMAIN_INPUT_TYPE_TABLET:
case VIR_DOMAIN_INPUT_TYPE_KBD:
case VIR_DOMAIN_INPUT_TYPE_LAST:
break;
}
return rc;
}
static int static int
virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr, virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
@ -1954,6 +2012,12 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
NULL) < 0) NULL) < 0)
rc = -1; rc = -1;
} }
for (i = 0; i < def->ninputs; i++) {
if (virSecuritySELinuxRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
rc = -1;
}
for (i = 0; i < def->ndisks; i++) { for (i = 0; i < def->ndisks; i++) {
virDomainDiskDefPtr disk = def->disks[i]; virDomainDiskDefPtr disk = def->disks[i];
@ -2346,6 +2410,12 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
NULL) < 0) NULL) < 0)
return -1; return -1;
} }
for (i = 0; i < def->ninputs; i++) {
if (virSecuritySELinuxSetInputLabel(mgr, def, def->inputs[i]) < 0)
return -1;
}
if (def->tpm) { if (def->tpm) {
if (virSecuritySELinuxSetSecurityTPMFileLabel(mgr, def, if (virSecuritySELinuxSetSecurityTPMFileLabel(mgr, def,
def->tpm) < 0) def->tpm) < 0)