From nobody Wed May 14 11:36:43 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1522965384717257.89557745293723; Thu, 5 Apr 2018 14:56:24 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6E74581252; Thu, 5 Apr 2018 21:56:23 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4496B70581; Thu, 5 Apr 2018 21:56:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DE5931806103; Thu, 5 Apr 2018 21:56:22 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w35LuLoG021424 for ; Thu, 5 Apr 2018 17:56:21 -0400 Received: by smtp.corp.redhat.com (Postfix) id 37F6660927; Thu, 5 Apr 2018 21:56:21 +0000 (UTC) Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2B7E37BE43 for ; Thu, 5 Apr 2018 21:56:17 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5091B80B29 for ; Thu, 5 Apr 2018 21:56:16 +0000 (UTC) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w35LsNxU175417 for ; Thu, 5 Apr 2018 17:56:15 -0400 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0b-001b2d01.pphosted.com with ESMTP id 2h5rfhruy7-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 05 Apr 2018 17:56:15 -0400 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 5 Apr 2018 15:56:14 -0600 Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 5 Apr 2018 15:56:13 -0600 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w35LuD8Q10944932; Thu, 5 Apr 2018 14:56:13 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 12D30136040; Thu, 5 Apr 2018 15:56:13 -0600 (MDT) Received: from sbct-3.watson.ibm.com (unknown [9.47.158.153]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id BD93E136044; Thu, 5 Apr 2018 15:56:12 -0600 (MDT) From: Stefan Berger To: libvir-list@redhat.com Date: Thu, 5 Apr 2018 17:56:03 -0400 In-Reply-To: <1522965366-836-1-git-send-email-stefanb@linux.vnet.ibm.com> References: <1522965366-836-1-git-send-email-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18040521-0020-0000-0000-00000DB2C496 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008810; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000256; SDB=6.01013642; UDB=6.00516697; IPR=6.00792902; MB=3.00020438; MTD=3.00000008; XFM=3.00000015; UTC=2018-04-05 21:56:14 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18040521-0021-0000-0000-000060C9EBDC Message-Id: <1522965366-836-4-git-send-email-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-04-05_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1804050222 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 05 Apr 2018 21:56:16 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 05 Apr 2018 21:56:16 +0000 (UTC) for IP:'148.163.158.5' DOMAIN:'mx0b-001b2d01.pphosted.com' HELO:'mx0a-001b2d01.pphosted.com' FROM:'stefanb@linux.vnet.ibm.com' RCPT:'' X-RedHat-Spam-Score: -0.7 (RCVD_IN_DNSWL_LOW) 148.163.158.5 mx0b-001b2d01.pphosted.com 148.163.158.5 mx0b-001b2d01.pphosted.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.28 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 3/6] tpm: Label the external swtpm with SELinux labels X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 05 Apr 2018 21:56:23 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In this patch we label the swtpm process with SELinux labels. We give it the same label as the QEMU process has. We label its state directory and files as well. The file and process labels now look as follows: [root@localhost tpm]# ls -lZ total 4 rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Ap= r 5 16:46 485d0004-a48f-436a-8457-8a3b73e28567 srw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c254,c932 0 A= pr 5 16:57 485d0004-a48f-436a-8457-8a3b73e28567.sock [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr= 5 16:46 tpm-00.permall -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr= 5 16:46 vtpm.log root@sbct-3 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | g= rep -v grep system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? = Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=3Dunixio,p= ath=3D/var/lib/libvirt/tpm/485d0004-a48f-436a-8457-8a3b73e28567.sock,mode= =3D0600 --tpmstate dir=3D/var/lib/libvirt/tpm/485d0004-a48f-436a-8457-8a3b7= 3e28567 --log file=3D/var/lib/libvirt/tpm/485d0004-a48f-436a-8457-8a3b73e28= 567/vtpm.log --runas 59 [root@sbct-3 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | g= rep tpm | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ?= Sl 16:57 3:28 /bin/qemu-system-x86_64 -name guest=3Dcentos7.0,debug= -threads=3Don -S -object secret,id=3DmasterKey0,format=3Draw,file=3D/var/li= b/libvirt/qemu/domain-1-centos7.0/master-key.aes -machine pc-i440fx-2.8,acc= el=3Dkvm,usb=3Doff,dump-guest-core=3Doff -cpu kvm64 -m 2048 -realtime mlock= =3Doff -smp 2,sockets=3D2,cores=3D1,threads=3D1 -uuid 485d0004-a48f-436a-84= 57-8a3b73e28567 [...] -tpmdev emulator,id=3Dtpm-tpm0,chardev=3Dchrtpm -char= dev socket,id=3Dchrtpm,path=3D/var/lib/libvirt/tpm/485d0004-a48f-436a-8457-= 8a3b73e28567.sock -device tpm-tis,tpmdev=3Dtpm-tpm0,id=3Dtpm0 -device usb-m= ouse,id=3Dinput0,bus=3Dusb.0,port=3D1 -vnc 127.0.0.1:0 -device cirrus-vga,i= d=3Dvideo0,bus=3Dpci.0,addr=3D0x2 -device virtio-balloon-pci,id=3Dballoon0,= bus=3Dpci.0,addr=3D0x6 -msg timestamp=3Don Signed-off-by: Stefan Berger --- src/conf/domain_conf.c | 2 + src/conf/domain_conf.h | 3 ++ src/libvirt_private.syms | 1 + src/qemu/qemu_extdevice.c | 26 +++++++++++- src/security/security_driver.h | 5 ++- src/security/security_manager.c | 15 +++++++ src/security/security_manager.h | 3 ++ src/security/security_selinux.c | 90 +++++++++++++++++++++++++++++++++++++= ++++ src/security/security_stack.c | 19 +++++++++ src/util/virtpm.c | 5 ++- 10 files changed, 165 insertions(+), 4 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index da14ef8..9f7f3ce 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -2623,6 +2623,8 @@ void virDomainTPMDefFree(virDomainTPMDefPtr def) break; case VIR_DOMAIN_TPM_TYPE_EMULATOR: VIR_FREE(def->data.emulator.source.data.nix.path); + VIR_FREE(def->data.emulator.storagepath); + VIR_FREE(def->data.emulator.logfile); break; case VIR_DOMAIN_TPM_TYPE_LAST: break; diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 4ecc70d..9802533 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1301,6 +1301,9 @@ struct _virDomainTPMDef { } passthrough; struct { virDomainChrSourceDef source; + /* swtpm storage path and logfile */ + char *storagepath; + char *logfile; } emulator; } data; }; diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index e64bbef..191142e 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1334,6 +1334,7 @@ virSecurityManagerSetProcessLabel; virSecurityManagerSetSavedStateLabel; virSecurityManagerSetSocketLabel; virSecurityManagerSetTapFDLabel; +virSecurityManagerSetTPMLabels; virSecurityManagerStackAddNested; virSecurityManagerTransactionAbort; virSecurityManagerTransactionCommit; diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c index 4f42c9b..e685faf 100644 --- a/src/qemu/qemu_extdevice.c +++ b/src/qemu/qemu_extdevice.c @@ -105,12 +105,36 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver, =20 virCommandSetErrorBuffer(cmd, &errbuf); =20 - if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus !=3D 0) { + if (virSecurityManagerSetTPMLabels(driver->securityManager, + def) < 0) + goto error; + + if (virSecurityManagerSetChildProcessLabel(driver->securityManager, + def, cmd) < 0) + goto error; + + if (virSecurityManagerPreFork(driver->securityManager) < 0) + goto error; + + /* + * make sure we run this as root + * note: when installing libvirtd via make install we don't need this, + * but when installed from RPM, this is necessary. + */ + virCommandSetUID(cmd, 0); + virCommandSetGID(cmd, 0); + + ret =3D virCommandRun(cmd, &exitstatus); + + virSecurityManagerPostFork(driver->securityManager); + + if (ret < 0 || exitstatus !=3D 0) { VIR_ERROR("Could not start 'swtpm'. exitstatus: %d\n" "stderr: %s\n", exitstatus, errbuf); virReportError(VIR_ERR_INTERNAL_ERROR, _("Could not start 'swtpm'. exitstatus: %d, " "error: %s"), exitstatus, errbuf); + ret =3D -1; goto error; } =20 diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 95e7c4d..c654d2b 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -149,7 +149,8 @@ typedef int (*virSecurityDomainRestoreChardevLabel) (vi= rSecurityManagerPtr mgr, virDomainDefPtr def, virDomainChrSourceDef= Ptr dev_source, bool chardevStdioLogd= ); - +typedef int (*virSecurityDomainSetTPMLabels) (virSecurityManagerPtr mgr, + virDomainDefPtr def); =20 struct _virSecurityDriver { size_t privateDataLen; @@ -213,6 +214,8 @@ struct _virSecurityDriver { =20 virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel; virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel; + + virSecurityDomainSetTPMLabels domainSetSecurityTPMLabels; }; =20 virSecurityDriverPtr virSecurityDriverLookup(const char *name, diff --git a/src/security/security_manager.c b/src/security/security_manage= r.c index fdeea4d..7ff9050 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -1207,3 +1207,18 @@ virSecurityManagerRestoreChardevLabel(virSecurityMan= agerPtr mgr, virReportUnsupportedError(); return -1; } + + +int virSecurityManagerSetTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm) +{ + if (mgr->drv->domainSetSecurityTPMLabels) { + int ret; + virObjectLock(mgr); + ret =3D mgr->drv->domainSetSecurityTPMLabels(mgr, vm); + virObjectUnlock(mgr); + return ret; + } + + return 0; +} diff --git a/src/security/security_manager.h b/src/security/security_manage= r.h index c36a8b4..671f6a8 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -194,4 +194,7 @@ int virSecurityManagerRestoreChardevLabel(virSecurityMa= nagerPtr mgr, virDomainChrSourceDefPtr dev_sou= rce, bool chardevStdioLogd); =20 +int virSecurityManagerSetTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm); + #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index cfc8311..7bc1786 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -30,6 +30,7 @@ #if HAVE_SELINUX_LABEL_H # include #endif +#include =20 #include "security_driver.h" #include "security_selinux.h" @@ -3051,6 +3052,93 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityMana= gerPtr mgr, return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel); } =20 +static int +_virSecuritySELinuxSetSecurityFileLabels(virSecurityManagerPtr mgr, + const char *path, + virSecurityLabelDefPtr seclabel, + bool recurse) +{ + int ret =3D 0; + int n =3D 0; + struct dirent dirent, *result =3D NULL; + struct stat stat; + char *filename =3D NULL; + DIR *dir =3D opendir(path); + + if (!dir) + return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabe= l); + + while ((n =3D readdir_r(dir, &dirent, &result)) =3D=3D 0) { + if (result =3D=3D NULL) + break; + /* do NOT step into parent dir */ + if (STREQ("..", dirent.d_name)) + continue; + if (virAsprintf(&filename, "%s/%s", path, dirent.d_name) < 0) { + ret =3D -1; + break; + } + n =3D lstat(filename, &stat); + if (n !=3D 0) + break; + if (S_ISDIR(stat.st_mode)) { + ret =3D virSecuritySELinuxSetFilecon(mgr, filename, seclabel->= imagelabel); + if (ret) + break; + if (recurse) + ret =3D _virSecuritySELinuxSetSecurityFileLabels(mgr, file= name, + seclabel, + recurse); + } else if (S_ISREG(stat.st_mode)) { + ret =3D virSecuritySELinuxSetFilecon(mgr, filename, + seclabel->imagelabel); + } + VIR_FREE(filename); + if (ret) + break; + } + if (n) { + virReportSystemError(errno, _("Unable to label files under %s"), + path); + ret =3D -1; + } + + VIR_FREE(filename); + closedir(dir); + + return ret; +} + +static int +virSecuritySELinuxSetSecurityTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr def) +{ + int ret =3D 0; + virSecurityLabelDefPtr seclabel; + + seclabel =3D virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAM= E); + if (seclabel =3D=3D NULL) + return 0; + + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + ret =3D _virSecuritySELinuxSetSecurityFileLabels( + mgr, def->tpm->data.emulator.storagepath, + seclabel, false); + if (ret =3D=3D 0 && def->tpm->data.emulator.logfile) + ret =3D _virSecuritySELinuxSetSecurityFileLabels( + mgr, def->tpm->data.emulator.logfile, + seclabel, false); + break; + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + return ret; +} + virSecurityDriver virSecurityDriverSELinux =3D { .privateDataLen =3D sizeof(virSecuritySELinuxData), .name =3D SECURITY_SELINUX_NAME, @@ -3110,4 +3198,6 @@ virSecurityDriver virSecurityDriverSELinux =3D { =20 .domainSetSecurityChardevLabel =3D virSecuritySELinuxSetChardevLa= bel, .domainRestoreSecurityChardevLabel =3D virSecuritySELinuxRestoreChard= evLabel, + + .domainSetSecurityTPMLabels =3D virSecuritySELinuxSetSecurityT= PMLabels, }; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 9615f9f..7f10ef0 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -760,6 +760,23 @@ virSecurityStackDomainRestoreChardevLabel(virSecurityM= anagerPtr mgr, return rc; } =20 +static int +virSecurityStackSetSecurityTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm) +{ + virSecurityStackDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item =3D priv->itemsHead; + int rc =3D 0; + + for (; item; item =3D item->next) { + if (virSecurityManagerSetTPMLabels(item->securityManager, + vm) < 0) + rc =3D -1; + } + + return rc; +} + virSecurityDriver virSecurityDriverStack =3D { .privateDataLen =3D sizeof(virSecurityStackData), .name =3D "stack", @@ -822,4 +839,6 @@ virSecurityDriver virSecurityDriverStack =3D { =20 .domainSetSecurityChardevLabel =3D virSecurityStackDomainSetChard= evLabel, .domainRestoreSecurityChardevLabel =3D virSecurityStackDomainRestoreC= hardevLabel, + + .domainSetSecurityTPMLabels =3D virSecurityStackSetSecurityTPM= Labels, }; diff --git a/src/util/virtpm.c b/src/util/virtpm.c index 8a99876..354761e 100644 --- a/src/util/virtpm.c +++ b/src/util/virtpm.c @@ -437,8 +437,9 @@ virTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, cons= t unsigned char *vmuuid, virCommandAllowCap(cmd, CAP_SETUID); } =20 - VIR_FREE(storagepath); - VIR_FREE(logfile); + tpm->data.emulator.storagepath =3D storagepath; + VIR_FREE(tpm->data.emulator.logfile); + tpm->data.emulator.logfile =3D logfile; =20 return cmd; =20 --=20 2.5.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list