qemu/security: start passt process with correct SELinux label

[libvirt PATCH 0/4] qemu/security: start passt process with correct SELinux label

Posted by Laine Stump 1 year, 1 month ago

All the necessary explanation is in Path 3/4

We may want to turn on this same behavior for some other external
processes, but right now the one we need it for is passt.

Resolves: https://bugzilla.redhat.com/2172267

Laine Stump (4):
  util: add an API to retrieve the resolved path to a virCommand's
    binary
  security: make args to virSecuritySELinuxContextAddRange() const
  security: make it possible to set SELinux label of child process from
    its binary
  qemu: set SELinux label of passt process to its own binary's label

 src/libvirt_private.syms         |  1 +
 src/qemu/qemu_dbus.c             |  2 +-
 src/qemu/qemu_passt.c            |  2 +-
 src/qemu/qemu_process.c          |  2 +-
 src/qemu/qemu_security.c         |  5 ++-
 src/qemu/qemu_security.h         |  1 +
 src/qemu/qemu_slirp.c            |  2 +-
 src/qemu/qemu_tpm.c              |  3 +-
 src/qemu/qemu_vhost_user_gpu.c   |  2 +-
 src/security/security_apparmor.c |  1 +
 src/security/security_dac.c      |  1 +
 src/security/security_driver.h   |  1 +
 src/security/security_manager.c  |  8 +++-
 src/security/security_manager.h  |  1 +
 src/security/security_nop.c      |  1 +
 src/security/security_selinux.c  | 77 ++++++++++++++++++++++++++++++--
 src/security/security_stack.c    |  5 ++-
 src/util/vircommand.c            | 51 ++++++++++++++++-----
 src/util/vircommand.h            |  1 +
 19 files changed, 143 insertions(+), 24 deletions(-)

-- 
2.39.2

Re: [libvirt PATCH 0/4] qemu/security: start passt process with correct SELinux label

Posted by Michal Prívozník 1 year, 1 month ago

On 3/9/23 05:49, Laine Stump wrote:
> All the necessary explanation is in Path 3/4
> 
> We may want to turn on this same behavior for some other external
> processes, but right now the one we need it for is passt.
> 
> Resolves: https://bugzilla.redhat.com/2172267
> 
> Laine Stump (4):
>   util: add an API to retrieve the resolved path to a virCommand's
>     binary
>   security: make args to virSecuritySELinuxContextAddRange() const
>   security: make it possible to set SELinux label of child process from
>     its binary
>   qemu: set SELinux label of passt process to its own binary's label
> 
>  src/libvirt_private.syms         |  1 +
>  src/qemu/qemu_dbus.c             |  2 +-
>  src/qemu/qemu_passt.c            |  2 +-
>  src/qemu/qemu_process.c          |  2 +-
>  src/qemu/qemu_security.c         |  5 ++-
>  src/qemu/qemu_security.h         |  1 +
>  src/qemu/qemu_slirp.c            |  2 +-
>  src/qemu/qemu_tpm.c              |  3 +-
>  src/qemu/qemu_vhost_user_gpu.c   |  2 +-
>  src/security/security_apparmor.c |  1 +
>  src/security/security_dac.c      |  1 +
>  src/security/security_driver.h   |  1 +
>  src/security/security_manager.c  |  8 +++-
>  src/security/security_manager.h  |  1 +
>  src/security/security_nop.c      |  1 +
>  src/security/security_selinux.c  | 77 ++++++++++++++++++++++++++++++--
>  src/security/security_stack.c    |  5 ++-
>  src/util/vircommand.c            | 51 ++++++++++++++++-----
>  src/util/vircommand.h            |  1 +
>  19 files changed, 143 insertions(+), 24 deletions(-)
> 

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Does this mean, we should lift the temporary limitation documented in
NEWS.rst?

Michal

Re: [libvirt PATCH 0/4] qemu/security: start passt process with correct SELinux label

Posted by Andrea Bolognani 1 year, 1 month ago

On Fri, Mar 10, 2023 at 12:58:46PM +0100, Michal Prívozník wrote:
> On 3/9/23 05:49, Laine Stump wrote:
> > Laine Stump (4):
> >   util: add an API to retrieve the resolved path to a virCommand's
> >     binary
> >   security: make args to virSecuritySELinuxContextAddRange() const
> >   security: make it possible to set SELinux label of child process from
> >     its binary
> >   qemu: set SELinux label of passt process to its own binary's label
> >
> >  src/libvirt_private.syms         |  1 +
> >  src/qemu/qemu_dbus.c             |  2 +-
> >  src/qemu/qemu_passt.c            |  2 +-
> >  src/qemu/qemu_process.c          |  2 +-
> >  src/qemu/qemu_security.c         |  5 ++-
> >  src/qemu/qemu_security.h         |  1 +
> >  src/qemu/qemu_slirp.c            |  2 +-
> >  src/qemu/qemu_tpm.c              |  3 +-
> >  src/qemu/qemu_vhost_user_gpu.c   |  2 +-
> >  src/security/security_apparmor.c |  1 +
> >  src/security/security_dac.c      |  1 +
> >  src/security/security_driver.h   |  1 +
> >  src/security/security_manager.c  |  8 +++-
> >  src/security/security_manager.h  |  1 +
> >  src/security/security_nop.c      |  1 +
> >  src/security/security_selinux.c  | 77 ++++++++++++++++++++++++++++++--
> >  src/security/security_stack.c    |  5 ++-
> >  src/util/vircommand.c            | 51 ++++++++++++++++-----
> >  src/util/vircommand.h            |  1 +
> >  19 files changed, 143 insertions(+), 24 deletions(-)

Reviewed-by: Andrea Bolognani <abologna@redhat.com>

> Does this mean, we should lift the temporary limitation documented in
> NEWS.rst?

Yes, we should definitely include that information in the release
notes. And since I've just pushed the patch that addresses the same
limitation for AppArmor, we can mention both in the same entry.

-- 
Andrea Bolognani / Red Hat / Virtualization

Re: [libvirt PATCH 0/4] qemu/security: start passt process with correct SELinux label

Posted by Laine Stump 1 year, 1 month ago

On 3/8/23 11:49 PM, Laine Stump wrote:
> All the necessary explanation is in Path 3/4
> 
> We may want to turn on this same behavior for some other external
> processes, but right now the one we need it for is passt.
> 
> Resolves: https://bugzilla.redhat.com/2172267

I forgot to mention that proper operation requires the latest updates to 
passt, as well as a patch to selinux-policy that still needs to be 
posted/merged.

> 
> Laine Stump (4):
>    util: add an API to retrieve the resolved path to a virCommand's
>      binary
>    security: make args to virSecuritySELinuxContextAddRange() const
>    security: make it possible to set SELinux label of child process from
>      its binary
>    qemu: set SELinux label of passt process to its own binary's label
> 
>   src/libvirt_private.syms         |  1 +
>   src/qemu/qemu_dbus.c             |  2 +-
>   src/qemu/qemu_passt.c            |  2 +-
>   src/qemu/qemu_process.c          |  2 +-
>   src/qemu/qemu_security.c         |  5 ++-
>   src/qemu/qemu_security.h         |  1 +
>   src/qemu/qemu_slirp.c            |  2 +-
>   src/qemu/qemu_tpm.c              |  3 +-
>   src/qemu/qemu_vhost_user_gpu.c   |  2 +-
>   src/security/security_apparmor.c |  1 +
>   src/security/security_dac.c      |  1 +
>   src/security/security_driver.h   |  1 +
>   src/security/security_manager.c  |  8 +++-
>   src/security/security_manager.h  |  1 +
>   src/security/security_nop.c      |  1 +
>   src/security/security_selinux.c  | 77 ++++++++++++++++++++++++++++++--
>   src/security/security_stack.c    |  5 ++-
>   src/util/vircommand.c            | 51 ++++++++++++++++-----
>   src/util/vircommand.h            |  1 +
>   19 files changed, 143 insertions(+), 24 deletions(-)
>