Normally when a child process is started by libvirt, the SELinux label
of that process is set to virtd_t (plus an MCS range). In at least one
case (passt) we need for the SELinux label of a child process label to
match the label that the binary would have transitioned to
automatically if it had been run standalone (in the case of passt,
that label is passt_t).
This patch modifies virSecuritySELinuxSetChildProcessLabel() (and all
the functions above it in the call chain) so that the toplevel
function can set a new argument "useBinarySpecificLabel" to true. If
it is true, then virSecuritySELinuxSetChildProcessLabel() will call
the new function virSecuritySELinuxContextSetFromFile(), which uses
the selinux library function security_compute_create() to determine
what would be the label of the new process if it had been run
standalone (rather than being run by libvirt) - the MCS range from the
normally-used label is added to this newly derived label, and that is
what is used for the new process rather than whatever is in the
domain's security label (which will usually be virtd_t).
In order to easily verify that nothing was broken by these changes to
the call chain, all callers currently set useBinarySpecificPath =
false, so all behavior should be completely unchanged. (The next
patch will set it to true only for the case of running passt.)
https://bugzilla.redhat.com/
2172267
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
virCommandDaemonize(cmd);
virCommandAddArgFormat(cmd, "--config-file=%s", configfile);
- if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, NULL) < 0)
+ if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, false, NULL) < 0)
goto cleanup;
if (virPidFileReadPath(pidfile, &cpid) < 0) {
if (qemuExtDeviceLogCommand(driver, vm, cmd, "passt") < 0)
return -1;
- if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, NULL) < 0)
+ if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, false, NULL) < 0)
goto error;
return 0;
VIR_DEBUG("Setting up security labelling");
if (qemuSecuritySetChildProcessLabel(driver->securityManager,
- vm->def, cmd) < 0)
+ vm->def, false, cmd) < 0)
goto cleanup;
virCommandSetOutputFD(cmd, &logfile);
virCommand *cmd,
uid_t uid,
gid_t gid,
+ bool useBinarySpecificLabel,
int *exitstatus)
{
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
int ret = -1;
if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
- vm->def, cmd) < 0)
+ vm->def, useBinarySpecificLabel,
+ cmd) < 0) {
return -1;
+ }
if (uid != (uid_t) -1)
virCommandSetUID(cmd, uid);
virCommand *cmd,
uid_t uid,
gid_t gid,
+ bool useBinarySpecificLabel,
int *exitstatus);
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
if (qemuExtDeviceLogCommand(driver, vm, cmd, "slirp") < 0)
goto error;
- if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, NULL) < 0)
+ if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, false, NULL) < 0)
goto error;
rc = virPidFileReadPath(pidfile, &pid);
return -1;
if (qemuSecurityCommandRun(driver, vm, cmd, cfg->swtpm_user,
- cfg->swtpm_group, NULL) < 0)
+ cfg->swtpm_group, false, NULL) < 0) {
goto error;
+ }
if (virPidFileReadPath(pidfile, &pid) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
virCommandAddArgFormat(cmd, "--render-node=%s", video->accel->rendernode);
}
- if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, NULL) < 0)
+ if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, false, NULL) < 0)
goto error;
rc = virPidFileReadPath(pidfile, &pid);
static int
AppArmorSetSecurityChildProcessLabel(virSecurityManager *mgr G_GNUC_UNUSED,
virDomainDef *def,
+ bool useBinarySpecificLabel G_GNUC_UNUSED,
virCommand *cmd)
{
g_autofree char *profile_name = NULL;
static int
virSecurityDACSetChildProcessLabel(virSecurityManager *mgr,
virDomainDef *def,
+ bool useBinarySpecificLabel G_GNUC_UNUSED,
virCommand *cmd)
{
virSecurityDACData *priv = virSecurityManagerGetPrivateData(mgr);
virDomainDef *def);
typedef int (*virSecurityDomainSetChildProcessLabel) (virSecurityManager *mgr,
virDomainDef *def,
+ bool useBinarySpecificLabel,
virCommand *cmd);
typedef int (*virSecurityDomainSecurityVerify) (virSecurityManager *mgr,
virDomainDef *def);
int
virSecurityManagerSetChildProcessLabel(virSecurityManager *mgr,
virDomainDef *vm,
+ bool useBinarySpecificLabel,
virCommand *cmd)
{
- if (mgr->drv->domainSetSecurityChildProcessLabel)
- return mgr->drv->domainSetSecurityChildProcessLabel(mgr, vm, cmd);
+ if (mgr->drv->domainSetSecurityChildProcessLabel) {
+ return mgr->drv->domainSetSecurityChildProcessLabel(mgr, vm,
+ useBinarySpecificLabel,
+ cmd);
+ }
virReportUnsupportedError();
return -1;
virDomainDef *def);
int virSecurityManagerSetChildProcessLabel(virSecurityManager *mgr,
virDomainDef *def,
+ bool useBinarySpecificLabel,
virCommand *cmd);
int virSecurityManagerVerify(virSecurityManager *mgr,
virDomainDef *def);
static int
virSecurityDomainSetChildProcessLabelNop(virSecurityManager *mgr G_GNUC_UNUSED,
virDomainDef *vm G_GNUC_UNUSED,
+ bool useBinarySpecificLabel G_GNUC_UNUSED,
virCommand *cmd G_GNUC_UNUSED)
{
return 0;
return ret;
}
+
+static char *
+virSecuritySELinuxContextSetFromFile(const char *origLabel,
+ const char *binaryPath)
+{
+ g_autofree char *currentCon = NULL;
+ g_autofree char *binaryCon = NULL;
+ g_autofree char *naturalLabel = NULL;
+ g_autofree char *updatedLabel = NULL;
+
+ /* First learn what would be the context set
+ * if binaryPath was exec'ed from this process.
+ */
+ if (getcon(¤tCon) < 0) {
+ virReportSystemError(errno, "%s",
+ _("unable to get SELinux context for current process"));
+ return NULL;
+ }
+
+ if (getfilecon(binaryPath, &binaryCon) < 0) {
+ virReportSystemError(errno, _("unable to get SELinux context for '%s'"),
+ binaryPath);
+ return NULL;
+ }
+
+ if (security_compute_create(currentCon, binaryCon,
+ string_to_security_class("process"),
+ &naturalLabel) < 0) {
+ virReportSystemError(errno,
+ _("unable create new SELinux label based on label '%s' and file '%s'"),
+ origLabel, binaryPath);
+ return NULL;
+ }
+
+ /* now get the type from the original label
+ * (which already has proper MCS set) and add it to
+ * the new label
+ */
+ updatedLabel = virSecuritySELinuxContextAddRange(origLabel, naturalLabel);
+
+ VIR_DEBUG("original label: '%s' binary: '%s' binary-specific label: '%s'",
+ origLabel, binaryPath, NULLSTR(updatedLabel));
+ return g_steal_pointer(&updatedLabel);
+}
+
+
static char *
virSecuritySELinuxGenNewContext(const char *basecontext,
const char *mcs,
static int
virSecuritySELinuxSetChildProcessLabel(virSecurityManager *mgr G_GNUC_UNUSED,
virDomainDef *def,
+ bool useBinarySpecificLabel G_GNUC_UNUSED,
virCommand *cmd)
{
/* TODO: verify DOI */
virSecurityLabelDef *secdef;
+ g_autofree char *tmpLabel = NULL;
+ const char *label = NULL;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (!secdef || !secdef->label)
return -1;
}
+ /* pick either the common label used by most binaries exec'ed by
+ * libvirt, or the specific label of this binary.
+ */
+ if (useBinarySpecificLabel) {
+ const char *binaryPath = virCommandGetBinaryPath(cmd);
+
+ if (!binaryPath)
+ return -1; /* error was already logged */
+
+ tmpLabel = virSecuritySELinuxContextSetFromFile(secdef->label,
+ binaryPath);
+ if (!tmpLabel)
+ return -1;
+
+ label = tmpLabel;
+
+ } else {
+
+ label = secdef->label;
+
+ }
+
/* save in cmd to be set after fork/before child process is exec'ed */
- virCommandSetSELinuxLabel(cmd, secdef->label);
+ virCommandSetSELinuxLabel(cmd, label);
return 0;
}
static int
virSecurityStackSetChildProcessLabel(virSecurityManager *mgr,
virDomainDef *vm,
+ bool useBinarySpecificLabel,
virCommand *cmd)
{
virSecurityStackData *priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
for (; item; item = item->next) {
- if (virSecurityManagerSetChildProcessLabel(item->securityManager, vm, cmd) < 0)
+ if (virSecurityManagerSetChildProcessLabel(item->securityManager, vm,
+ useBinarySpecificLabel, cmd) < 0) {
rc = -1;
+ }
}
return rc;
projects / thirdparty / libvirt.git / commitdiff
