/* * qemu_security.c: QEMU security management * * Copyright (C) 2016 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library. If not, see * . * * Authors: * Michal Privoznik */ #include #include "qemu_domain.h" #include "qemu_security.h" #include "virlog.h" #define VIR_FROM_THIS VIR_FROM_QEMU VIR_LOG_INIT("qemu.qemu_process"); int qemuSecuritySetAllLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, const char *stdin_path) { int ret = -1; qemuDomainObjPrivatePtr priv = vm->privateData; pid_t pid = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerSetAllLabel(driver->securityManager, vm->def, stdin_path, priv->chardevStdioLogd) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } void qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, bool migrated) { qemuDomainObjPrivatePtr priv = vm->privateData; bool transactionStarted = false; /* In contrast to qemuSecuritySetAllLabel, do not use vm->pid * here. This function is called from qemuProcessStop() which * is meant to do cleanup after qemu process died. The * domain's namespace is gone as qemu was the only process * running there. We would not succeed in entering the * namespace then. */ if (virSecurityManagerTransactionStart(driver->securityManager) >= 0) transactionStarted = true; virSecurityManagerRestoreAllLabel(driver->securityManager, vm->def, migrated, priv->chardevStdioLogd); if (transactionStarted && virSecurityManagerTransactionCommit(driver->securityManager, -1) < 0) VIR_WARN("Unable to run security manager transaction"); virSecurityManagerTransactionAbort(driver->securityManager); } int qemuSecuritySetDiskLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainDiskDefPtr disk) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerSetDiskLabel(driver->securityManager, vm->def, disk) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainDiskDefPtr disk) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerRestoreDiskLabel(driver->securityManager, vm->def, disk) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecuritySetImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr src) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def, src) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr src) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerRestoreImageLabel(driver->securityManager, vm->def, src) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecuritySetHostdevLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainHostdevDefPtr hostdev) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerSetHostdevLabel(driver->securityManager, vm->def, hostdev, NULL) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecurityRestoreHostdevLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainHostdevDefPtr hostdev) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, vm->def, hostdev, NULL) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecuritySetMemoryLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainMemoryDefPtr mem) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerSetMemoryLabel(driver->securityManager, vm->def, mem) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecurityRestoreMemoryLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainMemoryDefPtr mem) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerRestoreMemoryLabel(driver->securityManager, vm->def, mem) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecuritySetInputLabel(virDomainObjPtr vm, virDomainInputDefPtr input) { qemuDomainObjPrivatePtr priv = vm->privateData; virQEMUDriverPtr driver = priv->driver; pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerSetInputLabel(driver->securityManager, vm->def, input) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecurityRestoreInputLabel(virDomainObjPtr vm, virDomainInputDefPtr input) { qemuDomainObjPrivatePtr priv = vm->privateData; virQEMUDriverPtr driver = priv->driver; pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerRestoreInputLabel(driver->securityManager, vm->def, input) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecuritySetChardevLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainChrDefPtr chr) { int ret = -1; qemuDomainObjPrivatePtr priv = vm->privateData; pid_t pid = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerSetChardevLabel(driver->securityManager, vm->def, chr->source, priv->chardevStdioLogd) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainChrDefPtr chr) { int ret = -1; qemuDomainObjPrivatePtr priv = vm->privateData; pid_t pid = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerRestoreChardevLabel(driver->securityManager, vm->def, chr->source, priv->chardevStdioLogd) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } /* * qemuSecurityStartTPMEmulator: * * @driver: the QEMU driver * @def: the domain definition * @cmd: the command to run * @uid: the uid to run the emulator * @gid: the gid to run the emulator * @existstatus: pointer to int returning exit status of process * @cmdret: pointer to int returning result of virCommandRun * * Start the TPM emulator with approriate labels. Apply security * labels to files first. * This function returns -1 on security setup error, 0 if all the * setup was done properly. In case the virCommand failed to run * 0 is returned but cmdret is set appropriately with the process * exitstatus also set. */ int qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver, virDomainDefPtr def, virCommandPtr cmd, uid_t uid, gid_t gid, int *exitstatus, int *cmdret) { int ret = -1; bool transactionStarted = false; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) return -1; transactionStarted = true; if (virSecurityManagerSetTPMLabels(driver->securityManager, def) < 0) { virSecurityManagerTransactionAbort(driver->securityManager); return -1; } if (virSecurityManagerTransactionCommit(driver->securityManager, -1) < 0) goto cleanup; transactionStarted = false; if (virSecurityManagerSetChildProcessLabel(driver->securityManager, def, cmd) < 0) goto cleanup; if (virSecurityManagerPreFork(driver->securityManager) < 0) goto cleanup; ret = 0; /* make sure we run this with the appropriate user */ virCommandSetUID(cmd, uid); virCommandSetGID(cmd, gid); *cmdret = virCommandRun(cmd, exitstatus); virSecurityManagerPostFork(driver->securityManager); if (*cmdret < 0) goto cleanup; return 0; cleanup: if (!transactionStarted && virSecurityManagerTransactionStart(driver->securityManager) >= 0) transactionStarted = true; virSecurityManagerRestoreTPMLabels(driver->securityManager, def); if (transactionStarted && virSecurityManagerTransactionCommit(driver->securityManager, -1) < 0) VIR_WARN("Unable to run security manager transaction"); virSecurityManagerTransactionAbort(driver->securityManager); return ret; } void qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver, virDomainDefPtr def) { bool transactionStarted = false; if (virSecurityManagerTransactionStart(driver->securityManager) >= 0) transactionStarted = true; virSecurityManagerRestoreTPMLabels(driver->securityManager, def); if (transactionStarted && virSecurityManagerTransactionCommit(driver->securityManager, -1) < 0) VIR_WARN("Unable to run security manager transaction"); virSecurityManagerTransactionAbort(driver->securityManager); } int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, const char *path, bool allowSubtree) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerDomainSetPathLabel(driver->securityManager, vm->def, path, allowSubtree) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecuritySetSavedStateLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, const char *savefile) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerSetSavedStateLabel(driver->securityManager, vm->def, savefile) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; } int qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, const char *savefile) { pid_t pid = -1; int ret = -1; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager, vm->def, savefile) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, pid) < 0) goto cleanup; ret = 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); return ret; }