1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH 0/3] security: Don't remember labels for TPM

Michal Privoznik posted 3 patches 4 years, 6 months ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cover.1569941501.git.mprivozn@redhat.com
src/security/security_dac.c     | 91 ++++++++++++++++++++++-----------
src/security/security_selinux.c | 16 +++---
2 files changed, 71 insertions(+), 36 deletions(-)
[libvirt] [PATCH 0/3] security: Don't remember labels for TPM
Posted by Michal Privoznik 4 years, 6 months ago 
As it turns out, /dev/tpm0 can't be opened more than once. This doesn't
fit into our seclabel remembering approach and thus disable it for TPM
devices.

There's also another type of files which can't be opened more than once
- /dev/vfio/N. Usually, this won't be a problem unless users try to
attach/detach some devices from the same IOMMU group. This will require
more treatment though because it's broken on more levels. 

  1) we remove /dev/vfio/N in private devtmpfs on device detach, even
     though there is another device still attached to domain from the
     same IOMMU group,

  2) we remove the IOMMU group from CGroups, i.e. we effectively deny
     access to qemu

  3) we restore seclabels (regardless of seclabel remembering)

Therefore, I'm only addressing TPM issue here and will continue work on
hostdevs.

Michal Prívozník (3):
  security: Try to lock only paths with remember == true
  security_dac: Allow selective remember/recall for chardevs
  security: Don't remember labels for TPM

 src/security/security_dac.c     | 91 ++++++++++++++++++++++-----------
 src/security/security_selinux.c | 16 +++---
 2 files changed, 71 insertions(+), 36 deletions(-)

-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 0/3] security: Don't remember labels for TPM
Posted by Cole Robinson 4 years, 6 months ago 
On 10/1/19 11:00 AM, Michal Privoznik wrote:
> As it turns out, /dev/tpm0 can't be opened more than once. This doesn't
> fit into our seclabel remembering approach and thus disable it for TPM
> devices.
> 
> There's also another type of files which can't be opened more than once
> - /dev/vfio/N. Usually, this won't be a problem unless users try to
> attach/detach some devices from the same IOMMU group. This will require
> more treatment though because it's broken on more levels.
> 
>    1) we remove /dev/vfio/N in private devtmpfs on device detach, even
>       though there is another device still attached to domain from the
>       same IOMMU group,
> 
>    2) we remove the IOMMU group from CGroups, i.e. we effectively deny
>       access to qemu
> 
>    3) we restore seclabels (regardless of seclabel remembering)
> 
> Therefore, I'm only addressing TPM issue here and will continue work on
> hostdevs.
> 
> Michal Prívozník (3):
>    security: Try to lock only paths with remember == true
>    security_dac: Allow selective remember/recall for chardevs
>    security: Don't remember labels for TPM
> 
>   src/security/security_dac.c     | 91 ++++++++++++++++++++++-----------
>   src/security/security_selinux.c | 16 +++---
>   2 files changed, 71 insertions(+), 36 deletions(-)
> 

Reviewed-by: Cole Robinson <crobinso@redhat.com>

but see comment on #3, I think the EMULATOR bits can be dropped.
I verified this fixes TPM passthrough VM startup too

- Cole

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.