From nobody Sun Feb 8 23:41:55 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591203747; cv=none; d=zohomail.com; s=zohoarc; b=XYCsC4aIizI5Nkx4gReW6qH+ETxUQbqudhwOtDEaEIR+NYDz2AG874lUyVYpp6YBqUjAJ1pPaTzUHh32CcCAh/E02hzOfWtcx5Mk7MU6+eagxKhgDDx/q2HZP5toJc2o/ZcD/vq0IGTylqNaGjh0tSI3pBIce6iP9yysM/cKw+M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591203747; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7LYVuNPis9VVO9h2l07ZXpB5ca7izMZsrkCWu3iSZmM=; b=d2zeH1kztukc4wrGRXHobnCyrvirfOhTeXCMdpbYbu3vcC79n8wVtoqoQZyc2DByNxLKirRLissU3ESmDjeg8A+O1WItUZuZp0H5vJ0JzdOR3zSAg7bTCT0faKidshrJVYnupNxct9tr4d1zeoXgARgqcmARwuTlXCmiNCGSo/E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1591203747353557.0114451920912; Wed, 3 Jun 2020 10:02:27 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-169-idB72UAZOpG9dXCSuzB48Q-1; Wed, 03 Jun 2020 13:02:23 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E9000EC1A4; Wed, 3 Jun 2020 17:02:15 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CBD5C5C583; Wed, 3 Jun 2020 17:02:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9A1EB180954D; Wed, 3 Jun 2020 17:02:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 053H1slK006325 for ; Wed, 3 Jun 2020 13:01:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id BF18D60C81; Wed, 3 Jun 2020 17:01:54 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.193.222]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3FC4260BF4 for ; Wed, 3 Jun 2020 17:01:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591203746; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=7LYVuNPis9VVO9h2l07ZXpB5ca7izMZsrkCWu3iSZmM=; b=PXRh/0bLo+T3bEIkhAduy01EwXyIE0QSakJLFK2nyW8qBrlxwpww2QKKUMrsclVsN98Wlt 7vA7XKh8S3pyYpCDQmf2jKmLBjOSdXGTm2zedkqQpcMsAj1V1AJx7wX5V6sClRpjaZZbjg 1LpFDsXeDzqouqnUAAzSkzicaa6XBBQ= X-MC-Unique: idB72UAZOpG9dXCSuzB48Q-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 5/6] secdrivers: Relabel firmware config files Date: Wed, 3 Jun 2020 19:01:37 +0200 Message-Id: <69e34d39f5b50636ebc9ab2eb69ce879fad7ba86.1591203520.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" For the case where -fw_cfg uses a file, we need to set the seclabels on it to allow QEMU the access. While QEMU allows writing into the file (if specified on the command line), so far we are enabling reading only and thus we can use read only label (in case of SELinux). Signed-off-by: Michal Privoznik --- src/security/security_dac.c | 14 ++++++++++++++ src/security/security_selinux.c | 13 +++++++++++++ src/security/virt-aa-helper.c | 6 ++++++ 3 files changed, 33 insertions(+) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 7b95a6f86d..a1340c242c 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1991,6 +1991,12 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr = mgr, rc =3D -1; } =20 + for (i =3D 0; i < def->nfw_cfgs; i++) { + if (def->fw_cfgs[i].file && + virSecurityDACRestoreFileLabel(mgr, def->fw_cfgs[i].file) < 0) + rc =3D -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0) rc =3D -1; @@ -2173,6 +2179,14 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, if (virSecurityDACGetImageIds(secdef, priv, &user, &group)) return -1; =20 + for (i =3D 0; i < def->nfw_cfgs; i++) { + if (def->fw_cfgs[i].file && + virSecurityDACSetOwnership(mgr, NULL, + def->fw_cfgs[i].file, + user, group, true) < 0) + return -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACSetOwnership(mgr, NULL, def->os.loader->nvram, diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 7bb7c2b7b1..c5a8e33bd7 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2786,6 +2786,12 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager= Ptr mgr, mgr) < 0) rc =3D -1; =20 + for (i =3D 0; i < def->nfw_cfgs; i++) { + if (def->fw_cfgs[i].file && + virSecuritySELinuxRestoreFileLabel(mgr, def->fw_cfgs[i].file, = true) < 0) + rc =3D -1; + } + if (def->os.loader && def->os.loader->nvram && virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, tru= e) < 0) rc =3D -1; @@ -3194,6 +3200,13 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr = mgr, mgr) < 0) return -1; =20 + for (i =3D 0; i < def->nfw_cfgs; i++) { + if (def->fw_cfgs[i].file && + virSecuritySELinuxSetFilecon(mgr, def->fw_cfgs[i].file, + data->content_context, true) < 0) + return -1; + } + /* This is different than kernel or initrd. The nvram store * is really a disk, qemu can read and write to it. */ if (def->os.loader && def->os.loader->nvram && diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6e6dd1b1db..12beef6442 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1175,6 +1175,12 @@ get_files(vahControl * ctl) } } =20 + for (i =3D 0; i < ctl->def->nfw_cfgs; i++) { + if (ctl->def->fw_cfgs[i].file && + vah_add_file(&buf, ctl->def->fw_cfgs[i].file, "r") !=3D 0) + goto cleanup; + } + for (i =3D 0; i < ctl->def->nshmems; i++) { virDomainShmemDef *shmem =3D ctl->def->shmems[i]; /* explicit server paths can be on any model to overwrites default= s. --=20 2.26.2