From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 3 Jan 2023 09:29:01 +0000 (+0100)
Subject: security_selinux: Set and restore /dev/sgx_* labels
X-Git-Tag: v9.0.0-rc2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed6b8a30b90807d5a4d6bc0a5d0ec99fd5f040ff;p=thirdparty%2Flibvirt.git

security_selinux: Set and restore /dev/sgx_* labels

For SGX type of memory, QEMU needs to open and talk to
/dev/sgx_vepc and /dev/sgx_provision files. But we do not set nor
restore SELinux labels on these files when starting a guest.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 4036a2c27a..9be8f458d1 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -47,9 +47,6 @@
 VIR_LOG_INIT("security.security_dac");
 
 #define SECURITY_DAC_NAME "dac"
-#define DEV_SEV "/dev/sev"
-#define DEV_SGX_VEPC "/dev/sgx_vepc"
-#define DEV_SGX_PROVISION "/dev/sgx_provision"
 
 typedef struct _virSecurityDACData virSecurityDACData;
 struct _virSecurityDACData {
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 60597ffc0a..4afdcc167b 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -23,6 +23,10 @@
 #include "domain_conf.h"
 #include "vircommand.h"
 
+#define DEV_SEV "/dev/sev"
+#define DEV_SGX_VEPC "/dev/sgx_vepc"
+#define DEV_SGX_PROVISION "/dev/sgx_provision"
+
 typedef struct _virSecurityManager virSecurityManager;
 
 typedef enum {
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a42d86216a..4d4a1705e6 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1577,10 +1577,21 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr,
             return -1;
         break;
 
+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+        if (!seclabel || !seclabel->relabel)
+            return 0;
+
+        if (virSecuritySELinuxSetFilecon(mgr, DEV_SGX_VEPC,
+                                         seclabel->imagelabel, true) < 0 ||
+            virSecuritySELinuxSetFilecon(mgr, DEV_SGX_PROVISION,
+                                         seclabel->imagelabel, true) < 0)
+            return -1;
+        break;
+
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
         break;
     }
@@ -1607,9 +1618,18 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr,
         ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
         break;
 
+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+        if (!seclabel || !seclabel->relabel)
+            return 0;
+
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_VEPC, true);
+        if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true) < 0)
+            ret = -1;
+        break;
+
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
         ret = 0;