From nobody Sat Feb 7 06:49:21 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591402908; cv=none; d=zohomail.com; s=zohoarc; b=L9cQ6XTV/oFUyIXSe9nVZSAlFxHjDu9FDOroWlMHz2jyvmeUUxRa0pIsnWTVEWFjzXimJ7n6MEDm2O180N2M6Pk1lJD320JIXqeOiR4d1pI3BXeqUpeZOB7YdgetB6n5I1mFPXUlYow/wj18KM4waQMDuLnVKxO1OXuG4wO73vA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591402908; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Odx3CMgQhFMeEStHVqepZkstDH5jNr+/h5muWLV55oQ=; b=FXFWZ4cZ6VVq1CURAMW6Xg0DtxiCEmGevuRaJDRNmmHRmm5rJfvzg26i95sDJ44EQHw3HsVOEsuN1DDiNVcflfJ/qtQAVT7GTs0+axp5PKH3AebVW0AUdvH/mLBVeliY3mjuhgCxrWPPL6L9rUCheHc/XW+iKodEyBdzxDZG2zM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 159140290852538.974854239110755; Fri, 5 Jun 2020 17:21:48 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-404-MMx8A1MCMFy1SWn7xLph5Q-1; Fri, 05 Jun 2020 20:21:44 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B323C18FE868; Sat, 6 Jun 2020 00:21:39 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 949C65D9E4; Sat, 6 Jun 2020 00:21:39 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 66AD810485B; Sat, 6 Jun 2020 00:21:39 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 054IiKJT002494 for ; Thu, 4 Jun 2020 14:44:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3CB451001B2B; Thu, 4 Jun 2020 18:44:20 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.192.79]) by smtp.corp.redhat.com (Postfix) with ESMTP id B131D10013D6 for ; Thu, 4 Jun 2020 18:44:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591402907; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Odx3CMgQhFMeEStHVqepZkstDH5jNr+/h5muWLV55oQ=; b=fxI0qQO360BxmYzBCk+45cax0foi1KfCG+OCX3IUbkXynEnswGJ3mSBFLlO8NrKR7k+8bz 7upaKBjJkkAVhg9dU5xLrtXsa8aL9aGbcoRFLfy03MOZRp50vU9Eiek2xxeFRHb3W6spXC aK88awB0QTX7Vr0ptqpEpmqDxvZTIBo= X-MC-Unique: MMx8A1MCMFy1SWn7xLph5Q-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH v2 6/8] secdrivers: Relabel firmware config files Date: Thu, 4 Jun 2020 20:44:07 +0200 Message-Id: <36208614ffb19323b200051be8c66f23c5a64118.1591296170.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" For the case where -fw_cfg uses a file, we need to set the seclabels on it to allow QEMU the access. While QEMU allows writing into the file (if specified on the command line), so far we are enabling reading only and thus we can use read only label (in case of SELinux). Signed-off-by: Michal Privoznik Reviewed-by: Daniel P. Berrang=C3=A9 --- src/security/security_dac.c | 50 +++++++++++++++++++++++++++++++++ src/security/security_selinux.c | 50 +++++++++++++++++++++++++++++++++ src/security/virt-aa-helper.c | 12 ++++++++ 3 files changed, 112 insertions(+) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 7b95a6f86d..7e65b78fbe 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1916,6 +1916,24 @@ virSecurityDACRestoreSEVLabel(virSecurityManagerPtr = mgr G_GNUC_UNUSED, } =20 =20 +static int +virSecurityDACRestoreSysinfoLabel(virSecurityManagerPtr mgr, + virSysinfoDefPtr def) +{ + size_t i; + + for (i =3D 0; i < def->nfw_cfgs; i++) { + virSysinfoFWCfgDefPtr f =3D &def->fw_cfgs[i]; + + if (f->file && + virSecurityDACRestoreFileLabel(mgr, f->file) < 0) + return -1; + } + + return 0; +} + + static int virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -1991,6 +2009,12 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr = mgr, rc =3D -1; } =20 + for (i =3D 0; i < def->nsysinfo; i++) { + if (virSecurityDACRestoreSysinfoLabel(mgr, + def->sysinfo[i]) < 0) + rc =3D -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0) rc =3D -1; @@ -2094,6 +2118,27 @@ virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr, } =20 =20 +static int +virSecurityDACSetSysinfoLabel(virSecurityManagerPtr mgr, + uid_t user, + gid_t group, + virSysinfoDefPtr def) +{ + size_t i; + + for (i =3D 0; i < def->nfw_cfgs; i++) { + virSysinfoFWCfgDefPtr f =3D &def->fw_cfgs[i]; + + if (f->file && + virSecurityDACSetOwnership(mgr, NULL, f->file, + user, group, true) < 0) + return -1; + } + + return 0; +} + + static int virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -2173,6 +2218,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, if (virSecurityDACGetImageIds(secdef, priv, &user, &group)) return -1; =20 + for (i =3D 0; i < def->nsysinfo; i++) { + if (virSecurityDACSetSysinfoLabel(mgr, user, group, def->sysinfo[i= ]) < 0) + return -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACSetOwnership(mgr, NULL, def->os.loader->nvram, diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 7bb7c2b7b1..e6819af26c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2720,6 +2720,24 @@ virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr= mgr, int virtType) } =20 =20 +static int +virSecuritySELinuxRestoreSysinfoLabel(virSecurityManagerPtr mgr, + virSysinfoDefPtr def) +{ + size_t i; + + for (i =3D 0; i < def->nfw_cfgs; i++) { + virSysinfoFWCfgDefPtr f =3D &def->fw_cfgs[i]; + + if (f->file && + virSecuritySELinuxRestoreFileLabel(mgr, f->file, true) < 0) + return -1; + } + + return 0; +} + + static int virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -2786,6 +2804,11 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager= Ptr mgr, mgr) < 0) rc =3D -1; =20 + for (i =3D 0; i < def->nsysinfo; i++) { + if (virSecuritySELinuxRestoreSysinfoLabel(mgr, def->sysinfo[i]) < = 0) + rc =3D -1; + } + if (def->os.loader && def->os.loader->nvram && virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, tru= e) < 0) rc =3D -1; @@ -3123,6 +3146,26 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDo= mainDefPtr def, } =20 =20 +static int +virSecuritySELinuxSetSysinfoLabel(virSecurityManagerPtr mgr, + virSysinfoDefPtr def, + virSecuritySELinuxDataPtr data) +{ + size_t i; + + for (i =3D 0; i < def->nfw_cfgs; i++) { + virSysinfoFWCfgDefPtr f =3D &def->fw_cfgs[i]; + + if (f->file && + virSecuritySELinuxSetFilecon(mgr, f->file, + data->content_context, true) < 0) + return -1; + } + + return 0; +} + + static int virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -3194,6 +3237,13 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr = mgr, mgr) < 0) return -1; =20 + for (i =3D 0; i < def->nsysinfo; i++) { + if (virSecuritySELinuxSetSysinfoLabel(mgr, + def->sysinfo[i], + data) < 0) + return -1; + } + /* This is different than kernel or initrd. The nvram store * is really a disk, qemu can read and write to it. */ if (def->os.loader && def->os.loader->nvram && diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6e6dd1b1db..34c281100e 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1175,6 +1175,18 @@ get_files(vahControl * ctl) } } =20 + for (i =3D 0; i < ctl->def->nsysinfo; i++) { + size_t j; + + for (j =3D 0; j < ctl->def->sysinfo[i]->nfw_cfgs; j++) { + virSysinfoFWCfgDefPtr f =3D &ctl->def->sysinfo[i]->fw_cfgs[j]; + + if (f->file && + vah_add_file(&buf, f->file, "r") !=3D 0) + goto cleanup; + } + } + for (i =3D 0; i < ctl->def->nshmems; i++) { virDomainShmemDef *shmem =3D ctl->def->shmems[i]; /* explicit server paths can be on any model to overwrites default= s. --=20 2.26.2