From: Michal Privoznik <mprivozn@redhat.com>
Date: Wed, 5 Mar 2025 14:47:39 +0000 (+0100)
Subject: security: Set seclabels on UEFI shim
X-Git-Tag: v11.2.0-rc1~208
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d1e4b25ba4ee243418e8aeb66ce5f6a6854c378;p=thirdparty%2Flibvirt.git

security: Set seclabels on UEFI shim

Again, trivial. Just copy what is done for kernel and initrd.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
---

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index b4d61bc576..e07977300f 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2046,6 +2046,10 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
         virSecurityDACRestoreFileLabel(mgr, def->os.initrd) < 0)
         rc = -1;
 
+    if (def->os.shim &&
+        virSecurityDACRestoreFileLabel(mgr, def->os.shim) < 0)
+        rc = -1;
+
     if (def->os.dtb &&
         virSecurityDACRestoreFileLabel(mgr, def->os.dtb) < 0)
         rc = -1;
@@ -2295,6 +2299,12 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
                                    user, group, true) < 0)
         return -1;
 
+    if (def->os.shim &&
+        virSecurityDACSetOwnership(mgr, NULL,
+                                   def->os.shim,
+                                   user, group, true) < 0)
+        return -1;
+
     if (def->os.dtb &&
         virSecurityDACSetOwnership(mgr, NULL,
                                    def->os.dtb,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b8659e33d6..38e611f567 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3009,6 +3009,10 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true) < 0)
         rc = -1;
 
+    if (def->os.shim &&
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true) < 0)
+        rc = -1;
+
     if (def->os.dtb &&
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true) < 0)
         rc = -1;
@@ -3439,6 +3443,11 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
                                      data->content_context, true) < 0)
         return -1;
 
+    if (def->os.shim &&
+        virSecuritySELinuxSetFilecon(mgr, def->os.shim,
+                                     data->content_context, true) < 0)
+        return -1;
+
     if (def->os.dtb &&
         virSecuritySELinuxSetFilecon(mgr, def->os.dtb,
                                      data->content_context, true) < 0)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index fad2c89304..034c042007 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -970,6 +970,10 @@ get_files(vahControl * ctl)
         if (vah_add_file(&buf, ctl->def->os.initrd, "r") != 0)
             goto cleanup;
 
+    if (ctl->def->os.shim)
+        if (vah_add_file(&buf, ctl->def->os.shim, "r") != 0)
+            goto cleanup;
+
     if (ctl->def->os.dtb)
         if (vah_add_file(&buf, ctl->def->os.dtb, "r") != 0)
             goto cleanup;