security_selinux: Set and restore /dev/sgx_* labels

For SGX type of memory, QEMU needs to open and talk to /dev/sgx_vepc and /dev/sgx_provision files. But we do not set nor restore SELinux labels on these files when starting a guest. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2025-01-08 22:15:21 +00:00 · 2023-01-03 10:29:01 +01:00 · 2023-01-03 10:29:01 +01:00 · ed6b8a30b9
commit ed6b8a30b9
parent a50e6f649b
3 changed files with 26 additions and 5 deletions
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -47,9 +47,6 @@
 VIR_LOG_INIT("security.security_dac");

 #define SECURITY_DAC_NAME "dac"
-#define DEV_SEV "/dev/sev"
-#define DEV_SGX_VEPC "/dev/sgx_vepc"
-#define DEV_SGX_PROVISION "/dev/sgx_provision"

 typedef struct _virSecurityDACData virSecurityDACData;
 struct _virSecurityDACData {
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@ -23,6 +23,10 @@
 #include "domain_conf.h"
 #include "vircommand.h"

+#define DEV_SEV "/dev/sev"
+#define DEV_SGX_VEPC "/dev/sgx_vepc"
+#define DEV_SGX_PROVISION "/dev/sgx_provision"
+
 typedef struct _virSecurityManager virSecurityManager;

 typedef enum {
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -1577,10 +1577,21 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr,
            return -1;
        break;

+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+        if (!seclabel || !seclabel->relabel)
+            return 0;
+
+        if (virSecuritySELinuxSetFilecon(mgr, DEV_SGX_VEPC,
+                                         seclabel->imagelabel, true) < 0 ||
+            virSecuritySELinuxSetFilecon(mgr, DEV_SGX_PROVISION,
+                                         seclabel->imagelabel, true) < 0)
+            return -1;
+        break;
+
    case VIR_DOMAIN_MEMORY_MODEL_NONE:
    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
    case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
    case VIR_DOMAIN_MEMORY_MODEL_LAST:
        break;
    }
@ -1607,9 +1618,18 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr,
        ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
        break;

+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+        if (!seclabel || !seclabel->relabel)
+            return 0;
+
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_VEPC, true);
+        if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true) < 0)
+            ret = -1;
+        break;
+
    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
    case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
    case VIR_DOMAIN_MEMORY_MODEL_NONE:
    case VIR_DOMAIN_MEMORY_MODEL_LAST:
        ret = 0;