From nobody Tue Feb 10 06:04:47 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1677073371; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BJKJtWHlNfuH6wgpp+1gOigTWz+/CE8ksSFY3Yy8GFc6fYleIe0fcj9A7Dk54ByEgIp6XkIfjU+n0cB6fcy7ELdFkrWwO6Dyqiuuh1jche5Y3qeK92GEff1WNzF9hUYSUwqzdRWLZeGOm6BfQlKzzgFsEJrIfovhqWhLTfGdXv0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1677073371;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=xBfJIwufUEZsRxQJ+zKlUYd4haOcnVh4i88SQTuQwzQ=;
	b=anhX2mSXTktKv/bWC4koHSKSK3d5RVynjcu22M0vjGRNzkdlFQnnn3taHYUljy7plesQyoXnf3iGjv1VczPtlzo+gngY4MaduVC1GmtOvCM049ya0Na7bOUSA8AbtKJIqkIzzBotwev2yZ6CbFD1I/b8sQ/Cb8+TIqGOOmTtEx4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<sbrivio@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1677073371648478.37284278577;
 Wed, 22 Feb 2023 05:42:51 -0800 (PST)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-433-DO7_CGZuPN2TPgG2uL4_ZA-1; Wed, 22 Feb 2023 08:42:49 -0500
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9085B1991C42;
	Wed, 22 Feb 2023 13:42:46 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id A52B940C1423;
	Wed, 22 Feb 2023 13:42:42 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 7353B1946588;
	Wed, 22 Feb 2023 13:42:42 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
 [10.11.54.3])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 2BC7E1946587 for <libvir-list@listman.corp.redhat.com>;
 Wed, 22 Feb 2023 13:21:36 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 09F121121318; Wed, 22 Feb 2023 13:21:36 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
 (mimecast08.extmail.prod.ext.rdu2.redhat.com [10.11.55.24])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 027FD1121315
 for <libvir-list@redhat.com>; Wed, 22 Feb 2023 13:21:35 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6386F3814944
 for <libvir-list@redhat.com>; Wed, 22 Feb 2023 13:21:35 +0000 (UTC)
Received: from passt.top (passt.top [88.198.0.164]) by relay.mimecast.com
 with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256)
 id us-mta-570-EadaIsfvM7Cn5axE79Jwmw-1; Wed, 22 Feb 2023 08:21:33 -0500
Received: by passt.top (Postfix, from userid 1000)
 id F0EEF5A0082; Wed, 22 Feb 2023 14:21:31 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1677073370;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=xBfJIwufUEZsRxQJ+zKlUYd4haOcnVh4i88SQTuQwzQ=;
	b=KWY6TI4pN0s7QKy8sQiOLl5brEfG4xmwwvFSl34A0u6bG3PzbfWlim7z08gKrTN7Cjwh0y
	Mf5afbmvJgfVK0uQjFUVAHRw2viBB6426Qa6rEr4FTwL70NG7WlkUZm4QTrek1qKvJt736
	3opyIabPfqYJu3Q0h91ZsaY/DkxpxoQ=
X-MC-Unique: DO7_CGZuPN2TPgG2uL4_ZA-1
X-Original-To: libvir-list@listman.corp.redhat.com
X-MC-Unique: EadaIsfvM7Cn5axE79Jwmw-1
From: Stefano Brivio <sbrivio@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH v2 1/3] qemu_passt: Don't make passt transition to
 svirt_t/libvirt_domain on start
Date: Wed, 22 Feb 2023 14:21:29 +0100
Message-Id: <20230222132131.3811642-2-sbrivio@redhat.com>
In-Reply-To: <20230222132131.3811642-1-sbrivio@redhat.com>
References: <20230222132131.3811642-1-sbrivio@redhat.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
 Definition; Similar Internal Domain=false;
 Similar Monitored External Domain=false; Custom External Domain=false;
 Mimecast External Domain=false; Newly Observed Domain=false;
 Internal User Name=false; Custom Display Name List=false;
 Reply-to Address Mismatch=false; Targeted Threat Dictionary=false;
 Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Cc: =?UTF-8?q?Michal=20Pr=C3=ADvozn=C3=ADk?= <mprivozn@redhat.com>,
 Laine Stump <laine@redhat.com>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1677073373411100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

qemuSecurityCommandRun() causes an explicit domain transition of the
new process, but passt ships with its own SELinux policy, with
external interfaces for libvirtd, so we simply need to transition
from virtd_t to passt_t as passt is executed. The qemu type
enforcement rules have little to do with it.

That is, if we switch to svirt_t, passt will run in the security
context that's intended for QEMU, which allows a number of
operations not needed by passt. On the other hand, with a switch
to svirt_t, passt won't be able to create its own PID file.

Usage of those new interfaces is implemented by this change in
selinux-policy:
  https://github.com/fedora-selinux/selinux-policy/pull/1613

Replace qemuSecurityCommandRun() with virCommandRun(), and explicitly
set the label, preserving the correct MCS range for the given VM
instance. This is a temporary measure: eventually, we'll need a more
generic and elegant mechanism for helper binaries.

Fixes: a56f0168d576 ("qemu: hook up passt config to qemu domains")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 src/qemu/qemu_passt.c | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/src/qemu/qemu_passt.c b/src/qemu/qemu_passt.c
index 1217a6a087..81f48dd630 100644
--- a/src/qemu/qemu_passt.c
+++ b/src/qemu/qemu_passt.c
@@ -30,6 +30,11 @@
 #include "virlog.h"
 #include "virpidfile.h"
=20
+#ifdef WITH_SELINUX
+# include <selinux/selinux.h>
+# include <selinux/context.h>
+#endif
+
 #define VIR_FROM_THIS VIR_FROM_NONE
=20
 VIR_LOG_INIT("qemu.passt");
@@ -158,8 +163,11 @@ qemuPasstStart(virDomainObj *vm,
     g_autofree char *errbuf =3D NULL;
     char macaddr[VIR_MAC_STRING_BUFLEN];
     size_t i;
-    int exitstatus =3D 0;
-    int cmdret =3D 0;
+#ifdef WITH_SELINUX
+    virSecurityLabelDef *seclabel;
+    context_t s;
+    const char *newLabel;
+#endif
=20
     cmd =3D virCommandNew(PASST);
=20
@@ -271,18 +279,31 @@ qemuPasstStart(virDomainObj *vm,
     if (qemuExtDeviceLogCommand(driver, vm, cmd, "passt") < 0)
         return -1;
=20
-    if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, &exitstatus, &cmdr=
et) < 0)
-        goto error;
+#ifdef WITH_SELINUX
+    /* TODO: Implement a new security manager function for helper binaries,
+     * possibly deriving domain names from security attributes of the help=
er
+     * binary itself.
+     */
+    seclabel =3D virDomainDefGetSecurityLabelDef(vm->def, "selinux");
+    s =3D context_new(seclabel->label);
+    context_type_set(s, "passt_t");
+    newLabel =3D context_str(s);
+
+    virCommandSetSELinuxLabel(cmd, newLabel);
+#endif
=20
-    if (cmdret < 0 || exitstatus !=3D 0) {
+    if (virCommandRun(cmd, NULL)) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("Could not start 'passt': %s"), NULLSTR(errbuf));
         goto error;
     }
=20
+    context_free(s);
+
     return 0;
=20
  error:
-    qemuPasstKill(pidfile);
+    context_free(s);
+    qemuPasstKill(pidfile, passtSocketName);
     return -1;
 }
--=20
2.39.1