From nobody Sat May 18 10:48:45 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1663846858; cv=none; d=zohomail.com; s=zohoarc; b=hr7F10X0EPacMYNxvLf7WrsoPoCQm1inNyWV2zdEiFY+PvdtYCY/iLnCW0+NihiaSMHmaDZuuurDfEHqzAMJbXtisxSX31tJNGl0ZqEaezOjo7TkcvbXrmbCz3iQfr0Pkw2QT9QN4J8wgZzMaB31PNDjiJ9kWTXJIxdD1v21wNI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1663846858; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=uxyU8luRL98bOBYso0s31+nQgofqLShx+q5rNgWKG6A=; b=XgwFr1teqdQSpKCX1dwz0Fz0qZfzRAG6UEDc10xkHPKt10AstgdUUqQ1lvJobpwmg4/1YQtwumFbqHzdiZa1Ax9BYT3eAkZj5Url6CYxm1LLBRGqbhI6GeL7HKR+MM0MRcpxQ/9EyzcX5CheTknAEsYe4vXdB4z8UBCR7Klbxf8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1663846858605462.74798462360445; Thu, 22 Sep 2022 04:40:58 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-327-XQj_bwfRPxGOl7pZYw2WPA-1; Thu, 22 Sep 2022 07:40:54 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C9E14101CC6E; Thu, 22 Sep 2022 11:40:51 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id B53EE4B3FC6; Thu, 22 Sep 2022 11:40:51 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E9B8E1946A66; Thu, 22 Sep 2022 11:40:49 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 48E2A19465A4 for ; Thu, 22 Sep 2022 11:40:48 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 2C6DAC15BA5; Thu, 22 Sep 2022 11:40:48 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id C5A1BC15BA4 for ; Thu, 22 Sep 2022 11:40:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1663846857; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=uxyU8luRL98bOBYso0s31+nQgofqLShx+q5rNgWKG6A=; b=cUtt4QVddQ2QKldV2sjEilevTrphHMiMiJaOUdgUdwUu0AvhPcm1+I2+8tGCt8CMfiKoS3 j5hoBNREhJzrquDPszy6MdmhnxiwRFB34y0ppOBNdM8qiJQytKTNEW713OG1Ye1Ez+LetT ogVDBymjvLqo4SGjHGrVCvPLbH6IsJo= X-MC-Unique: XQj_bwfRPxGOl7pZYw2WPA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 1/2] security_selinux: Don't ignore NVMe disks when setting image label Date: Thu, 22 Sep 2022 13:40:43 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1663846860604100003 Content-Type: text/plain; charset="utf-8"; x-default="true" For NVMe disks we skip setting SELinux label on corresponding VFIO group (/dev/vfio/X). This bug is the best visible with namespaces and goes as follows: 1) libvirt assigns NVMe disk to vfio-pci driver, 2) kernel creates /dev/vfio/X node with generic device_t SELinux label, 3) our namespace code creates the exact copy of the node in domain's private /dev, 4) SELinux policy kicks in an changes the label on the node to vfio_device_t (in the top most namespace), 5) libvirt tells QEMU to attach the NVMe disk, which is denied by SELinux policy. While one can argue that kernel should have created the /dev/vfio/X node with the correct SELinux label from the beginning (step 2), libvirt can't rely on that and needs to set label on its own. Surprisingly, I already wrote the code that aims on this specific case (v6.0.0-rc1~241), but because of a shortcut we take earlier it is never ran. The reason is that virStorageSourceIsLocalStorage() considers NVMe disks as non-local because their source is not accessible via src->path (or even if it is, it's not a local path). Therefore, do not exit early for NVMe disks and let the function continue. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D2121441 Fixes: 284a12bae0e4cf93ea72797965d6c12e3a103f40 Signed-off-by: Michal Privoznik Reviewed-by: Peter Krempa --- src/security/security_selinux.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 9f2872decc..a296cb7613 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1818,7 +1818,11 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityM= anager *mgr, const char *path =3D src->path; int ret; =20 - if (!src->path || !virStorageSourceIsLocalStorage(src)) + /* Special case NVMe. Per virStorageSourceIsLocalStorage() it's + * considered not local, but we still want the code below to set + * label on VFIO group. */ + if (src->type !=3D VIR_STORAGE_TYPE_NVME && + (!src->path || !virStorageSourceIsLocalStorage(src))) return 0; =20 secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); --=20 2.35.1 From nobody Sat May 18 10:48:45 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1663846868; cv=none; d=zohomail.com; s=zohoarc; b=hFIq1q2lTdhNCL2eem7sie+Gf6nF3FdbN4OB0hThu46wiMhZS2MzWNC8Srcn72Es0xjR05uXn5629DXTcTr2mHN3wTjrpWY/zfOMU1hyzeT1qv3jiYoLAk1Qk5eVqSpLkcAuIM7FJ/7pALkRCPK4hptVClT/bDeKMwdNCQ7rpdo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1663846868; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=pNjGDGAdDAs3Mlldq/wW6e8GIt9blYqS/6SJ12oU6jE=; b=Hq7th3cyHhj3HIYsRnlJIzXF5psTppS5ljUAMKDr0sohNaEhfuKzoHDNzsEKs8KzK0l427y0NSwwgzEK2t1UswXpL4cSuNu43XB2TTXwgabsyrx5aDcjfZg/+C+AL7f2/AstP1SXzu/+zDADjRSL+3t/DC4+itLaCeiD1bsMa98= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1663846868779600.3788963879032; Thu, 22 Sep 2022 04:41:08 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-380-lngaEnFWPSyj1p_dLC0-7w-1; Thu, 22 Sep 2022 07:40:54 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6EF4029324A1; Thu, 22 Sep 2022 11:40:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1F3961121325; Thu, 22 Sep 2022 11:40:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 217E41946A72; Thu, 22 Sep 2022 11:40:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C7C3A19465A4 for ; Thu, 22 Sep 2022 11:40:48 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id BD30DC15BA5; Thu, 22 Sep 2022 11:40:48 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 63CDEC15BA4 for ; Thu, 22 Sep 2022 11:40:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1663846867; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=pNjGDGAdDAs3Mlldq/wW6e8GIt9blYqS/6SJ12oU6jE=; b=iYE/4xaBbhwTGEqNG737C9tfYNRH8pmyb6eCXUXdEuVtDCNmQF29dfC54SXzOhavvIna/9 o2PIHaPg2ZePjDuscuX5Tgy1oRW/5CBEqEQ3GyZAsnIPvmvDnsckoz8ECpUr+eJGxki7hd twwD38KHsWJX3pWRM/2zgPoUcTqswLk= X-MC-Unique: lngaEnFWPSyj1p_dLC0-7w-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 2/2] security_selinux: Move shortcut in virSecuritySELinuxSetImageLabelInternal() later Date: Thu, 22 Sep 2022 13:40:44 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1663846870648100001 Content-Type: text/plain; charset="utf-8"; x-default="true" At the beginning of virSecuritySELinuxSetImageLabelInternal() there's a check that allows the function return early. In previous patch the check was extended to not return early for NVMe disks. However, there's no such check in other drivers (DAC, AppArmor). Therefore, move the check a couple of line down so that the resulting code is at least somewhat similar to the rest of secdrivers. Signed-off-by: Michal Privoznik --- src/security/security_selinux.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index a296cb7613..26c6b281cc 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1818,13 +1818,6 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityM= anager *mgr, const char *path =3D src->path; int ret; =20 - /* Special case NVMe. Per virStorageSourceIsLocalStorage() it's - * considered not local, but we still want the code below to set - * label on VFIO group. */ - if (src->type !=3D VIR_STORAGE_TYPE_NVME && - (!src->path || !virStorageSourceIsLocalStorage(src))) - return 0; - secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (!secdef || !secdef->relabel) return 0; @@ -1882,6 +1875,8 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa= nager *mgr, return -1; =20 path =3D vfioGroupDev; + } else if (!path || !virStorageSourceIsLocalStorage(src)) { + return 0; } =20 ret =3D virSecuritySELinuxSetFilecon(mgr, path, use_label, remember); --=20 2.35.1