Re: [libvirt] [PATCH v3 07/11] Add SELinux and DAC labeling support for TPM passthrough
On 04/01/2013 05:06 PM, Corey Bryant wrote:
On 03/21/2013 11:42 AM, Stefan Berger wrote:
Signed-off-by: Stefan Bergerstef...@linux.vnet.ibm.com
---
src/security/security_dac.c | 53 ++
src/security/security_selinux.c | 96
2 files changed, 149 insertions(+)
Index: libvirt/src/security/security_selinux.c
===
--- libvirt.orig/src/security/security_selinux.c
+++ libvirt/src/security/security_selinux.c
@@ -45,6 +45,7 @@
#include virrandom.h
#include virutil.h
#include virconf.h
+#include virtpm.h
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -76,6 +77,12 @@ struct _virSecuritySELinuxCallbackData {
#define SECURITY_SELINUX_VOID_DOI 0
#define SECURITY_SELINUX_NAME selinux
+static int
+virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr
mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm);
+
+
/*
* Returns 0 on success, 1 if already reserved, or -1 on fatal error
*/
@@ -1062,6 +1069,84 @@ err:
return rc;
}
+
+static int
+virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm)
+{
+int rc;
+virSecurityLabelDefPtr seclabel;
+char *cancel_path;
+
+seclabel = virDomainDefGetSecurityLabelDef(def,
SECURITY_SELINUX_NAME);
+if (seclabel == NULL)
+return -1;
+
+switch (tpm-type) {
+case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+rc = virSecuritySELinuxSetFilecon(
+ tpm-data.passthrough.source.data.file.path,
+ seclabel-imagelabel);
+if (rc 0)
+return -1;
+
+if ((cancel_path = virTPMFindCancelPath()) != NULL) {
+rc = virSecuritySELinuxSetFilecon(cancel_path,
+ seclabel-imagelabel);
+VIR_FREE(cancel_path);
+if (rc 0) {
+ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
+ tpm);
+return -1;
+}
+} else {
+virReportError(VIR_ERR_INTERNAL_ERROR, %s,
+ _(Cannot determine TPM command cancel
path));
+return -1;
This makes me wonder if cancel-path should be specifiable at the
libvirt level rather than just using the default sysfs entry. If I've
read the code correctly I don't think it can currently be specified.
However QEMU is capable of taking a cancel-path string in case it is
different from the default sysfs path.
I am not sure whether to allow users to specify the path and
misconfigure it and to have QEMU write a letter into the wrong file. I
wonder whether we could have libvirt determine the path and display it
in the XML as read-only, though.
Stefan
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v3 07/11] Add SELinux and DAC labeling support for TPM passthrough
On 04/02/2013 07:15 AM, Stefan Berger wrote:
On 04/01/2013 05:06 PM, Corey Bryant wrote:
On 03/21/2013 11:42 AM, Stefan Berger wrote:
Signed-off-by: Stefan Bergerstef...@linux.vnet.ibm.com
---
src/security/security_dac.c | 53 ++
src/security/security_selinux.c | 96
2 files changed, 149 insertions(+)
Index: libvirt/src/security/security_selinux.c
===
--- libvirt.orig/src/security/security_selinux.c
+++ libvirt/src/security/security_selinux.c
@@ -45,6 +45,7 @@
#include virrandom.h
#include virutil.h
#include virconf.h
+#include virtpm.h
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -76,6 +77,12 @@ struct _virSecuritySELinuxCallbackData {
#define SECURITY_SELINUX_VOID_DOI 0
#define SECURITY_SELINUX_NAME selinux
+static int
+virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr
mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm);
+
+
/*
* Returns 0 on success, 1 if already reserved, or -1 on fatal error
*/
@@ -1062,6 +1069,84 @@ err:
return rc;
}
+
+static int
+virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm)
+{
+int rc;
+virSecurityLabelDefPtr seclabel;
+char *cancel_path;
+
+seclabel = virDomainDefGetSecurityLabelDef(def,
SECURITY_SELINUX_NAME);
+if (seclabel == NULL)
+return -1;
+
+switch (tpm-type) {
+case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+rc = virSecuritySELinuxSetFilecon(
+ tpm-data.passthrough.source.data.file.path,
+ seclabel-imagelabel);
+if (rc 0)
+return -1;
+
+if ((cancel_path = virTPMFindCancelPath()) != NULL) {
+rc = virSecuritySELinuxSetFilecon(cancel_path,
+ seclabel-imagelabel);
+VIR_FREE(cancel_path);
+if (rc 0) {
+ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
+ tpm);
+return -1;
+}
+} else {
+virReportError(VIR_ERR_INTERNAL_ERROR, %s,
+ _(Cannot determine TPM command cancel
path));
+return -1;
This makes me wonder if cancel-path should be specifiable at the
libvirt level rather than just using the default sysfs entry. If I've
read the code correctly I don't think it can currently be specified.
However QEMU is capable of taking a cancel-path string in case it is
different from the default sysfs path.
I am not sure whether to allow users to specify the path and
misconfigure it and to have QEMU write a letter into the wrong file. I
wonder whether we could have libvirt determine the path and display it
in the XML as read-only, though.
Stefan
After discussing with Stefan some more, I think just using the default
path is enough. I don't know why the sysfs path would not be the
default anyway. And as far as I know we've decided not to support fd
passing for vTPM, at least at this point, so that is not a concern.
--
Regards,
Corey Bryant
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v3 07/11] Add SELinux and DAC labeling support for TPM passthrough
On 03/21/2013 11:42 AM, Stefan Berger wrote:
Signed-off-by: Stefan Bergerstef...@linux.vnet.ibm.com
---
src/security/security_dac.c | 53 ++
src/security/security_selinux.c | 96
2 files changed, 149 insertions(+)
Index: libvirt/src/security/security_selinux.c
===
--- libvirt.orig/src/security/security_selinux.c
+++ libvirt/src/security/security_selinux.c
@@ -45,6 +45,7 @@
#include virrandom.h
#include virutil.h
#include virconf.h
+#include virtpm.h
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -76,6 +77,12 @@ struct _virSecuritySELinuxCallbackData {
#define SECURITY_SELINUX_VOID_DOI 0
#define SECURITY_SELINUX_NAME selinux
+static int
+virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm);
+
+
/*
* Returns 0 on success, 1 if already reserved, or -1 on fatal error
*/
@@ -1062,6 +1069,84 @@ err:
return rc;
}
+
+static int
+virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm)
+{
+int rc;
+virSecurityLabelDefPtr seclabel;
+char *cancel_path;
+
+seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+if (seclabel == NULL)
+return -1;
+
+switch (tpm-type) {
+case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+rc = virSecuritySELinuxSetFilecon(
+ tpm-data.passthrough.source.data.file.path,
+ seclabel-imagelabel);
+if (rc 0)
+return -1;
+
+if ((cancel_path = virTPMFindCancelPath()) != NULL) {
+rc = virSecuritySELinuxSetFilecon(cancel_path,
+ seclabel-imagelabel);
+VIR_FREE(cancel_path);
+if (rc 0) {
+virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
+ tpm);
+return -1;
+}
+} else {
+virReportError(VIR_ERR_INTERNAL_ERROR, %s,
+ _(Cannot determine TPM command cancel path));
+return -1;
This makes me wonder if cancel-path should be specifiable at the libvirt
level rather than just using the default sysfs entry. If I've read the
code correctly I don't think it can currently be specified. However
QEMU is capable of taking a cancel-path string in case it is different
from the default sysfs path.
--
Regards,
Corey Bryant
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
