From nobody Wed May 14 05:50:52 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1525465335940261.82220034775514;
 Fri, 4 May 2018 13:22:15 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com
 [10.5.11.26])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id AB4F63002386;
	Fri,  4 May 2018 20:22:14 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 67FBA30012D1;
	Fri,  4 May 2018 20:22:14 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id E43AF180613A;
	Fri,  4 May 2018 20:22:13 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id w44KLvLa013764 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 4 May 2018 16:21:57 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 101EE60CD3; Fri,  4 May 2018 20:21:57 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.43])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 0771860F9B
	for <libvir-list@redhat.com>; Fri,  4 May 2018 20:21:57 +0000 (UTC)
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
	[148.163.158.5])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C8AF630001DF
	for <libvir-list@redhat.com>; Fri,  4 May 2018 20:21:55 +0000 (UTC)
Received: from pps.filterd (m0098420.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id
	w44KEKwO068639
	for <libvir-list@redhat.com>; Fri, 4 May 2018 16:21:55 -0400
Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149])
	by mx0b-001b2d01.pphosted.com with ESMTP id 2hrsab3cd9-1
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
	for <libvir-list@redhat.com>; Fri, 04 May 2018 16:21:54 -0400
Received: from localhost
	by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <libvir-list@redhat.com> from <stefanb@linux.vnet.ibm.com>;
	Fri, 4 May 2018 14:21:54 -0600
Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20)
	by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway:
	Authorized Use Only! Violators will be prosecuted;
	Fri, 4 May 2018 14:21:51 -0600
Received: from b03ledav002.gho.boulder.ibm.com
	(b03ledav002.gho.boulder.ibm.com [9.17.130.233])
	by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id w44KLoTH11010480; Fri, 4 May 2018 13:21:50 -0700
Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id A91B3136040;
	Fri,  4 May 2018 14:21:50 -0600 (MDT)
Received: from sbct-3.watson.ibm.com (unknown [9.47.158.153])
	by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 50F7813603C;
	Fri,  4 May 2018 14:21:50 -0600 (MDT)
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: libvir-list@redhat.com
Date: Fri,  4 May 2018 16:21:23 -0400
In-Reply-To: <1525465285-14102-1-git-send-email-stefanb@linux.vnet.ibm.com>
References: <1525465285-14102-1-git-send-email-stefanb@linux.vnet.ibm.com>
X-TM-AS-GCONF: 00
x-cbid: 18050420-8235-0000-0000-00000D6D2F63
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00008970; HX=3.00000241; KW=3.00000007;
	PH=3.00000004; SC=3.00000258; SDB=6.01027522; UDB=6.00524878;
	IPR=6.00806655;
	MB=3.00020932; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-04 20:21:52
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18050420-8236-0000-0000-000040C9ED67
Message-Id: <1525465285-14102-13-git-send-email-stefanb@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
	definitions=2018-05-04_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	priorityscore=1501
	malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0
	clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
	classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
	definitions=main-1805040185
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.43]); Fri, 04 May 2018 20:21:56 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.43]);
	Fri, 04 May 2018 20:21:56 +0000 (UTC) for IP:'148.163.158.5'
	DOMAIN:'mx0b-001b2d01.pphosted.com'
	HELO:'mx0a-001b2d01.pphosted.com'
	FROM:'stefanb@linux.vnet.ibm.com' RCPT:''
X-RedHat-Spam-Score: -0.7 (RCVD_IN_DNSWL_LOW) 148.163.158.5
	mx0b-001b2d01.pphosted.com 148.163.158.5
	mx0b-001b2d01.pphosted.com <stefanb@linux.vnet.ibm.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.110.43
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 12/14] security: Label the external swtpm with
	SELinux labels
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]);
 Fri, 04 May 2018 20:22:15 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

In this patch we label the swtpm process with SELinux labels. We give it the
same label as the QEMU process has. We label its state directory and files
as well.

The file and process labels now look as follows:

Directory: /var/lib/libvirt/swtpm

[root@localhost swtpm]# ls -lZ
total 4
rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Ap=
r  5 16:46 testvm

[root@localhost testvm]# ls -lZ
total 8
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr=
  5 16:46 tpm-00.permall

The log in /var/log/swtpm/libvirt/qemu is labeled as follows:

-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr=
  5 16:46 vtpm.log

[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm=
 | grep ctrl | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?    =
    Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=3Dunixio,p=
ath=3D/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=3D0660 --tpmstate =
dir=3D/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=3D/var/log/swtpm/libv=
irt/qemu/testvm-swtpm.log

[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu =
| grep tpm | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?=
    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 src/libvirt_private.syms        |  1 +
 src/qemu/qemu_extdevice.c       | 22 ++++++++++-
 src/security/security_driver.h  |  4 ++
 src/security/security_manager.c | 17 +++++++++
 src/security/security_manager.h |  3 ++
 src/security/security_selinux.c | 82 +++++++++++++++++++++++++++++++++++++=
++++
 src/security/security_stack.c   | 19 ++++++++++
 7 files changed, 147 insertions(+), 1 deletion(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index e533b95..79b8afa 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1334,6 +1334,7 @@ virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
 virSecurityManagerSetSocketLabel;
 virSecurityManagerSetTapFDLabel;
+virSecurityManagerSetTPMLabels;
 virSecurityManagerStackAddNested;
 virSecurityManagerTransactionAbort;
 virSecurityManagerTransactionCommit;
diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
index f3f337d..eb7220d 100644
--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
@@ -166,12 +166,32 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
=20
     virCommandSetErrorBuffer(cmd, &errbuf);
=20
-    if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus !=3D 0) {
+    if (virSecurityManagerSetTPMLabels(driver->securityManager,
+                                       def) < 0)
+        goto error;
+
+    if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
+                                               def, cmd) < 0)
+        goto error;
+
+    if (virSecurityManagerPreFork(driver->securityManager) < 0)
+        goto error;
+
+    /* make sure we run this with the appropriate user */
+    virCommandSetUID(cmd, cfg->swtpm_user);
+    virCommandSetGID(cmd, cfg->swtpm_group);
+
+    ret =3D virCommandRun(cmd, &exitstatus);
+
+    virSecurityManagerPostFork(driver->securityManager);
+
+    if (ret < 0 || exitstatus !=3D 0) {
         VIR_ERROR("Could not start 'swtpm'. exitstatus: %d\n"
                   "stderr: %s\n", exitstatus, errbuf);
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("Could not start 'swtpm'. exitstatus: %d, "
                        "error: %s"), exitstatus, errbuf);
+        ret =3D -1;
         goto error;
     }
=20
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 95e7c4d..4aa415f 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -149,6 +149,8 @@ typedef int (*virSecurityDomainRestoreChardevLabel) (vi=
rSecurityManagerPtr mgr,
                                                      virDomainDefPtr def,
                                                      virDomainChrSourceDef=
Ptr dev_source,
                                                      bool chardevStdioLogd=
);
+typedef int (*virSecurityDomainSetTPMLabels) (virSecurityManagerPtr mgr,
+                                              virDomainDefPtr def);
=20
=20
 struct _virSecurityDriver {
@@ -213,6 +215,8 @@ struct _virSecurityDriver {
=20
     virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel;
     virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel;
+
+    virSecurityDomainSetTPMLabels domainSetSecurityTPMLabels;
 };
=20
 virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manage=
r.c
index 71f7f59..48777bb 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1204,3 +1204,20 @@ virSecurityManagerRestoreChardevLabel(virSecurityMan=
agerPtr mgr,
     virReportUnsupportedError();
     return -1;
 }
+
+
+int virSecurityManagerSetTPMLabels(virSecurityManagerPtr mgr,
+                                   virDomainDefPtr vm)
+{
+    int ret;
+
+    if (mgr->drv->domainSetSecurityTPMLabels) {
+        virObjectLock(mgr);
+        ret =3D mgr->drv->domainSetSecurityTPMLabels(mgr, vm);
+        virObjectUnlock(mgr);
+
+        return ret;
+    }
+
+    return 0;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manage=
r.h
index c36a8b4..671f6a8 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -194,4 +194,7 @@ int virSecurityManagerRestoreChardevLabel(virSecurityMa=
nagerPtr mgr,
                                           virDomainChrSourceDefPtr dev_sou=
rce,
                                           bool chardevStdioLogd);
=20
+int virSecurityManagerSetTPMLabels(virSecurityManagerPtr mgr,
+                                   virDomainDefPtr vm);
+
 #endif /* VIR_SECURITY_MANAGER_H__ */
diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 17bc07a..42a940b 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3047,6 +3047,86 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityMana=
gerPtr mgr,
     return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
 }
=20
+/*
+ * _virSecuritySELinuxSetSecurityFileLabels:
+ *
+ * @mgr: the virSecurityManager
+ * @path: path to a directory or a file
+ * @seclabel: the security label
+ *
+ * Set the file labels on the given path; if the path is a directory
+ * we label all files found there, including the directory itself,
+ * otherwise we just label the file.
+ */
+static int
+_virSecuritySELinuxSetSecurityFileLabels(virSecurityManagerPtr mgr,
+                                         const char *path,
+                                         virSecurityLabelDefPtr seclabel)
+{
+    int ret =3D 0;
+    struct dirent *ent;
+    char *filename =3D NULL;
+    DIR *dir;
+
+    if ((ret =3D virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagela=
bel)))
+        return ret;
+
+    if (virDirOpen(&dir, path) < 0)
+        return 0;
+
+    while ((ret =3D virDirRead(dir, &ent, path)) > 0) {
+        if (ent->d_type !=3D DT_REG)
+            continue;
+
+        if (virAsprintf(&filename, "%s/%s", path, ent->d_name) < 0) {
+            ret =3D -1;
+            break;
+        }
+        ret =3D virSecuritySELinuxSetFilecon(mgr, filename,
+                                           seclabel->imagelabel);
+        VIR_FREE(filename);
+        if (ret)
+            break;
+    }
+    if (ret)
+        virReportSystemError(errno, _("Unable to label files under %s"),
+                             path);
+
+    virDirClose(&dir);
+
+    return ret;
+}
+
+static int
+virSecuritySELinuxSetSecurityTPMLabels(virSecurityManagerPtr mgr,
+                                       virDomainDefPtr def)
+{
+    int ret =3D 0;
+    virSecurityLabelDefPtr seclabel;
+
+    seclabel =3D virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAM=
E);
+    if (seclabel =3D=3D NULL)
+        return 0;
+
+    switch (def->tpm->type) {
+    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        break;
+    case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+        ret =3D _virSecuritySELinuxSetSecurityFileLabels(
+            mgr, def->tpm->data.emulator.storagepath,
+            seclabel);
+        if (ret =3D=3D 0 && def->tpm->data.emulator.logfile)
+            ret =3D _virSecuritySELinuxSetSecurityFileLabels(
+                mgr, def->tpm->data.emulator.logfile,
+                seclabel);
+        break;
+    case VIR_DOMAIN_TPM_TYPE_LAST:
+        break;
+    }
+
+    return ret;
+}
+
 virSecurityDriver virSecurityDriverSELinux =3D {
     .privateDataLen                     =3D sizeof(virSecuritySELinuxData),
     .name                               =3D SECURITY_SELINUX_NAME,
@@ -3106,4 +3186,6 @@ virSecurityDriver virSecurityDriverSELinux =3D {
=20
     .domainSetSecurityChardevLabel      =3D virSecuritySELinuxSetChardevLa=
bel,
     .domainRestoreSecurityChardevLabel  =3D virSecuritySELinuxRestoreChard=
evLabel,
+
+    .domainSetSecurityTPMLabels         =3D virSecuritySELinuxSetSecurityT=
PMLabels,
 };
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 9615f9f..7f10ef0 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -760,6 +760,23 @@ virSecurityStackDomainRestoreChardevLabel(virSecurityM=
anagerPtr mgr,
     return rc;
 }
=20
+static int
+virSecurityStackSetSecurityTPMLabels(virSecurityManagerPtr mgr,
+                                     virDomainDefPtr vm)
+{
+    virSecurityStackDataPtr priv =3D virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item =3D priv->itemsHead;
+    int rc =3D 0;
+
+    for (; item; item =3D item->next) {
+        if (virSecurityManagerSetTPMLabels(item->securityManager,
+                                           vm) < 0)
+            rc =3D -1;
+    }
+
+    return rc;
+}
+
 virSecurityDriver virSecurityDriverStack =3D {
     .privateDataLen                     =3D sizeof(virSecurityStackData),
     .name                               =3D "stack",
@@ -822,4 +839,6 @@ virSecurityDriver virSecurityDriverStack =3D {
=20
     .domainSetSecurityChardevLabel      =3D virSecurityStackDomainSetChard=
evLabel,
     .domainRestoreSecurityChardevLabel  =3D virSecurityStackDomainRestoreC=
hardevLabel,
+
+    .domainSetSecurityTPMLabels         =3D virSecurityStackSetSecurityTPM=
Labels,
 };
--=20
2.5.5

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list