security: Set seclabels for pstore device

The acpi-erst backend for pstore device exposes a path in the
host accessible to the guest and as such we must set seclabels on
it to grant QEMU RW access.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Kristina Hanicova <khanicov@redhat.com>

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 1a3b51a29819a485df48228c8a13a225f11277b7..59fc5b840f2cefe6d582ebb98edb2a1cd5449cc9 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1995,6 +1995,10 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
         virSecurityDACRestoreFileLabel(mgr, def->os.slic_table) < 0)
         rc = -1;
 
+    if (def->pstore &&
+        virSecurityDACRestoreFileLabel(mgr, def->pstore->path) < 0)
+        rc = -1;
+
     return rc;
 }
 
@@ -2240,6 +2244,12 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
                                    user, group, true) < 0)
         return -1;
 
+    if (def->pstore &&
+        virSecurityDACSetOwnership(mgr, NULL,
+                                   def->pstore->path,
+                                   user, group, true) < 0)
+        return -1;
+
     return 0;
 }
 

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e29f627bc2609525ab4c56da34bcd46e57c1f792..ba0ce8fb9d182e25639b01449ca88e896f431928 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2911,6 +2911,10 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, true) < 0)
         rc = -1;
 
+    if (def->pstore &&
+        virSecuritySELinuxRestoreFileLabel(mgr, def->pstore->path, true) < 0)
+        rc = -1;
+
     return rc;
 }
 
@@ -3335,6 +3339,11 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
                                      data->content_context, true) < 0)
         return -1;
 
+    if (def->pstore &&
+        virSecuritySELinuxSetFilecon(mgr, def->pstore->path,
+                                     data->content_context, true) < 0)
+        return -1;
+
     return 0;
 }
 

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 4d2b8ac4abe1b26003f8510321ced4657899b881..067a17f331b72474539d5cace585b0a809b4021f 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1002,6 +1002,10 @@ get_files(vahControl * ctl)
         if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
             goto cleanup;
 
+    if (ctl->def->pstore)
+        if (vah_add_file(&buf, ctl->def->pstore->path, "rw") != 0)
+            goto cleanup;
+
     if (ctl->def->os.loader && ctl->def->os.loader->path) {
         bool readonly = false;
         virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);