External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-23 04:55:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Extend TPM label APIs

Browse Source 
The virSecurityDomainSetTPMLabels() and
virSecurityDomainRestoreTPMLabels() APIs set/restore label on two
files/directories:

  1) the TPM state (tpm->data.emulator.storagepath), and
  2) the TPM log file (tpm->data.emulator.logfile).

Soon there will be a need to set the label on the log file but
not on the state. Therefore, extend these APIs for a boolean flag
that when set does both, but when unset does only 2).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Michal Privoznik 2022-12-02 15:59:28 +01:00
parent 26cceb2a2a
commit f3259f82fd
6 changed files with 50 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/qemu/qemu_security.c
View File

@ -535,7 +535,7 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
transactionStarted = true;
if (virSecurityManagerSetTPMLabels(driver->securityManager,
vm->def) < 0) {
vm->def, true) < 0) {
virSecurityManagerTransactionAbort(driver->securityManager);
return -1;
}
@ -560,7 +560,7 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
virSecurityManagerTransactionStart(driver->securityManager) >= 0)
transactionStarted = true;
virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def);
virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def, true);
if (transactionStarted &&
virSecurityManagerTransactionCommit(driver->securityManager,
@ -583,7 +583,7 @@ qemuSecurityCleanupTPMEmulator(virQEMUDriver *driver,
if (virSecurityManagerTransactionStart(driver->securityManager) >= 0)
transactionStarted = true;
virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def);
virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def, true);
if (transactionStarted &&
virSecurityManagerTransactionCommit(driver->securityManager,

6
src/security/security_driver.h
View File

@ -154,9 +154,11 @@ typedef int (*virSecurityDomainRestoreChardevLabel) (virSecurityManager *mgr,
virDomainChrSourceDef *dev_source,
bool chardevStdioLogd);
typedef int (*virSecurityDomainSetTPMLabels) (virSecurityManager *mgr,
virDomainDef *def);
virDomainDef *def,
bool setTPMStateLabel);
typedef int (*virSecurityDomainRestoreTPMLabels) (virSecurityManager *mgr,
virDomainDef *def);
virDomainDef *def,
bool restoreTPMStateLabel);
typedef int (*virSecurityDomainSetNetdevLabel) (virSecurityManager *mgr,
virDomainDef *def,
virDomainNetDef *net);

10
src/security/security_manager.c
View File

@ -1188,27 +1188,29 @@ virSecurityManagerRestoreChardevLabel(virSecurityManager *mgr,
int
virSecurityManagerSetTPMLabels(virSecurityManager *mgr,
virDomainDef *vm)
virDomainDef *vm,
bool setTPMStateLabel)
{
VIR_LOCK_GUARD lock = virObjectLockGuard(mgr);
if (!mgr->drv->domainSetSecurityTPMLabels)
return 0;
return mgr->drv->domainSetSecurityTPMLabels(mgr, vm);
return mgr->drv->domainSetSecurityTPMLabels(mgr, vm, setTPMStateLabel);
}
int
virSecurityManagerRestoreTPMLabels(virSecurityManager *mgr,
virDomainDef *vm)
virDomainDef *vm,
bool restoreTPMStateLabel)
{
VIR_LOCK_GUARD lock = virObjectLockGuard(mgr);
if (!mgr->drv->domainRestoreSecurityTPMLabels)
return 0;
return mgr->drv->domainRestoreSecurityTPMLabels(mgr, vm);
return mgr->drv->domainRestoreSecurityTPMLabels(mgr, vm, restoreTPMStateLabel);
}

6
src/security/security_manager.h
View File

@ -214,10 +214,12 @@ int virSecurityManagerRestoreChardevLabel(virSecurityManager *mgr,
bool chardevStdioLogd);
int virSecurityManagerSetTPMLabels(virSecurityManager *mgr,
virDomainDef *vm);
virDomainDef *vm,
bool setTPMStateLabel);
int virSecurityManagerRestoreTPMLabels(virSecurityManager *mgr,
virDomainDef *vm);
virDomainDef *vm,
bool restoreTPMStateLabel);
int virSecurityManagerSetNetdevLabel(virSecurityManager *mgr,
virDomainDef *vm,

40
src/security/security_selinux.c
View File

@ -3526,7 +3526,8 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManager *mgr,
static int
virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr,
virDomainDef *def)
virDomainDef *def,
bool setTPMStateLabel)
{
int ret = 0;
size_t i;
@ -3540,13 +3541,18 @@ virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr,
if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR)
continue;
ret = virSecuritySELinuxSetFileLabels(
mgr, def->tpms[i]->data.emulator.storagepath,
seclabel);
if (ret == 0 && def->tpms[i]->data.emulator.logfile)
ret = virSecuritySELinuxSetFileLabels(
mgr, def->tpms[i]->data.emulator.logfile,
seclabel);
if (setTPMStateLabel) {
ret = virSecuritySELinuxSetFileLabels(mgr,
def->tpms[i]->data.emulator.storagepath,
seclabel);
}
if (ret == 0 &&
def->tpms[i]->data.emulator.logfile) {
ret = virSecuritySELinuxSetFileLabels(mgr,
def->tpms[i]->data.emulator.logfile,
seclabel);
}
}
return ret;
@ -3555,7 +3561,8 @@ virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr,
static int
virSecuritySELinuxRestoreTPMLabels(virSecurityManager *mgr,
virDomainDef *def)
virDomainDef *def,
bool restoreTPMStateLabel)
{
int ret = 0;
size_t i;
@ -3564,11 +3571,16 @@ virSecuritySELinuxRestoreTPMLabels(virSecurityManager *mgr,
if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR)
continue;
ret = virSecuritySELinuxRestoreFileLabels(
mgr, def->tpms[i]->data.emulator.storagepath);
if (ret == 0 && def->tpms[i]->data.emulator.logfile)
ret = virSecuritySELinuxRestoreFileLabels(
mgr, def->tpms[i]->data.emulator.logfile);
if (restoreTPMStateLabel) {
ret = virSecuritySELinuxRestoreFileLabels(mgr,
def->tpms[i]->data.emulator.storagepath);
}
if (ret == 0 &&
def->tpms[i]->data.emulator.logfile) {
ret = virSecuritySELinuxRestoreFileLabels(mgr,
def->tpms[i]->data.emulator.logfile);
}
}
return ret;

12
src/security/security_stack.c
View File

@ -916,14 +916,15 @@ virSecurityStackDomainRestoreChardevLabel(virSecurityManager *mgr,
static int
virSecurityStackSetTPMLabels(virSecurityManager *mgr,
virDomainDef *vm)
virDomainDef *vm,
bool setTPMStateLabel)
{
virSecurityStackData *priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItem *item = priv->itemsHead;
for (; item; item = item->next) {
if (virSecurityManagerSetTPMLabels(item->securityManager,
vm) < 0)
vm, setTPMStateLabel) < 0)
goto rollback;
}
@ -932,7 +933,7 @@ virSecurityStackSetTPMLabels(virSecurityManager *mgr,
rollback:
for (item = item->prev; item; item = item->prev) {
if (virSecurityManagerRestoreTPMLabels(item->securityManager,
vm) < 0) {
vm, setTPMStateLabel) < 0) {
VIR_WARN("Unable to restore TPM label after failed set label "
"call virDriver=%s driver=%s domain=%s",
virSecurityManagerGetVirtDriver(mgr),
@ -946,7 +947,8 @@ virSecurityStackSetTPMLabels(virSecurityManager *mgr,
static int
virSecurityStackRestoreTPMLabels(virSecurityManager *mgr,
virDomainDef *vm)
virDomainDef *vm,
bool restoreTPMStateLabel)
{
virSecurityStackData *priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItem *item = priv->itemsHead;
@ -954,7 +956,7 @@ virSecurityStackRestoreTPMLabels(virSecurityManager *mgr,
for (; item; item = item->next) {
if (virSecurityManagerRestoreTPMLabels(item->securityManager,
vm) < 0)
vm, restoreTPMStateLabel) < 0)
rc = -1;
}