In this patch we label the swtpm process with SELinux labels. We give it the
same label as the QEMU process has. We label its state directory and files
as well. We restore the old security labels once the swtpm has terminated.
The file and process labels now look as follows:
Directory: /var/lib/libvirt/swtpm
[root@localhost swtpm]# ls -lZ
total 4
rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm
[root@localhost testvm]# ls -lZ
total 8
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall
The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log
[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..]
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
src/libvirt_private.syms | 2 +
src/qemu/qemu_security.c | 69 +++++++++++++++++
src/qemu/qemu_security.h | 11 +++
src/qemu/qemu_tpm.c | 12 ++-
src/security/security_driver.h | 7 ++
src/security/security_manager.c | 36 +++++++++
src/security/security_manager.h | 6 ++
src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++
src/security/security_stack.c | 40 ++++++++++
9 files changed, 345 insertions(+), 2 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 34b686679b..7f85166856 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1320,6 +1320,7 @@ virSecurityManagerRestoreImageLabel;
virSecurityManagerRestoreInputLabel;
virSecurityManagerRestoreMemoryLabel;
virSecurityManagerRestoreSavedStateLabel;
+virSecurityManagerRestoreTPMLabels;
virSecurityManagerSetAllLabel;
virSecurityManagerSetChardevLabel;
virSecurityManagerSetChildProcessLabel;
@@ -1334,6 +1335,7 @@ virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel;
virSecurityManagerSetSocketLabel;
virSecurityManagerSetTapFDLabel;
+virSecurityManagerSetTPMLabels;
virSecurityManagerStackAddNested;
virSecurityManagerTransactionAbort;
virSecurityManagerTransactionCommit;
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 2aced22d2d..af3be42854 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -424,3 +424,72 @@ qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
+
+
+/*
+ * qemuSecurityStartTPMEmulator:
+ *
+ * @driver: the QEMU driver
+ * @def: the domain definition
+ * @cmd: the command to run
+ * @uid: the uid to run the emulator
+ * @gid: the gid to run the emulator
+ * @existstatus: pointer to int returning exit status of process
+ * @cmdret: pointer to int returning result of virCommandRun
+ *
+ * Start the TPM emulator with approriate labels. Apply security
+ * labels to files first.
+ * This function returns -1 on security setup error, 0 if all the
+ * setup was done properly. In case the virCommand failed to run
+ * 0 is returned but cmdret is set appropriately with the process
+ * exitstatus also set.
+ */
+int
+qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
+ virDomainDefPtr def,
+ virCommandPtr cmd,
+ uid_t uid,
+ gid_t gid,
+ int *exitstatus,
+ int *cmdret)
+{
+ int ret = -1;
+
+ if (virSecurityManagerSetTPMLabels(driver->securityManager,
+ def) < 0)
+ goto cleanup;
+
+ if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
+ def, cmd) < 0)
+ goto cleanup;
+
+ if (virSecurityManagerPreFork(driver->securityManager) < 0)
+ goto cleanup;
+
+ ret = 0;
+ /* make sure we run this with the appropriate user */
+ virCommandSetUID(cmd, uid);
+ virCommandSetGID(cmd, gid);
+
+ *cmdret = virCommandRun(cmd, exitstatus);
+
+ virSecurityManagerPostFork(driver->securityManager);
+
+ if (*cmdret < 0)
+ goto cleanup;
+
+ return 0;
+
+ cleanup:
+ virSecurityManagerRestoreTPMLabels(driver->securityManager, def);
+
+ return ret;
+}
+
+
+void
+qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver,
+ virDomainDefPtr def)
+{
+ virSecurityManagerRestoreTPMLabels(driver->securityManager, def);
+}
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index d54ce6fead..a189b63828 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -84,6 +84,17 @@ int qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr);
+int qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
+ virDomainDefPtr def,
+ virCommandPtr cmd,
+ uid_t uid,
+ gid_t gid,
+ int *exitstatus,
+ int *cmdret);
+
+void qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver,
+ virDomainDefPtr def);
+
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
* new APIs here. If an API can touch a /dev file add a proper wrapper instead.
*/
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 18e69c129e..11b91aa915 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -29,6 +29,7 @@
#include "qemu_extdevice.h"
#include "qemu_domain.h"
+#include "qemu_security.h"
#include "conf/domain_conf.h"
#include "vircommand.h"
@@ -659,11 +660,12 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
{
int ret = -1;
virCommandPtr cmd = NULL;
- int exitstatus;
+ int exitstatus = 0;
char *errbuf = NULL;
virQEMUDriverConfigPtr cfg;
virDomainTPMDefPtr tpm = def->tpm;
char *shortName = virDomainDefGetShortName(def);
+ int cmdret = 0;
if (!shortName)
return -1;
@@ -684,7 +686,12 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
virCommandSetErrorBuffer(cmd, &errbuf);
- if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) {
+ if (qemuSecurityStartTPMEmulator(driver, def, cmd,
+ cfg->swtpm_user, cfg->swtpm_group,
+ &exitstatus, &cmdret) < 0)
+ goto cleanup;
+
+ if (cmdret < 0 || exitstatus != 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Could not start 'swtpm'. exitstatus: %d, "
"error: %s"), exitstatus, errbuf);
@@ -739,6 +746,7 @@ qemuExtTPMStop(virQEMUDriverPtr driver,
goto cleanup;
qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
+ qemuSecurityCleanupTPMEmulator(driver, def);
break;
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
case VIR_DOMAIN_TPM_TYPE_LAST:
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 95e7c4de07..cbf0ecff6e 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -149,6 +149,10 @@ typedef int (*virSecurityDomainRestoreChardevLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainChrSourceDefPtr dev_source,
bool chardevStdioLogd);
+typedef int (*virSecurityDomainSetTPMLabels) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def);
+typedef int (*virSecurityDomainRestoreTPMLabels) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def);
struct _virSecurityDriver {
@@ -213,6 +217,9 @@ struct _virSecurityDriver {
virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel;
virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel;
+
+ virSecurityDomainSetTPMLabels domainSetSecurityTPMLabels;
+ virSecurityDomainRestoreTPMLabels domainRestoreSecurityTPMLabels;
};
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 71f7f59b9c..8683ad7d36 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1204,3 +1204,39 @@ virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr,
virReportUnsupportedError();
return -1;
}
+
+
+int
+virSecurityManagerSetTPMLabels(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm)
+{
+ int ret;
+
+ if (mgr->drv->domainSetSecurityTPMLabels) {
+ virObjectLock(mgr);
+ ret = mgr->drv->domainSetSecurityTPMLabels(mgr, vm);
+ virObjectUnlock(mgr);
+
+ return ret;
+ }
+
+ return 0;
+}
+
+
+int
+virSecurityManagerRestoreTPMLabels(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm)
+{
+ int ret;
+
+ if (mgr->drv->domainRestoreSecurityTPMLabels) {
+ virObjectLock(mgr);
+ ret = mgr->drv->domainRestoreSecurityTPMLabels(mgr, vm);
+ virObjectUnlock(mgr);
+
+ return ret;
+ }
+
+ return 0;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index c36a8b488f..e772b6165e 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -194,4 +194,10 @@ int virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr,
virDomainChrSourceDefPtr dev_source,
bool chardevStdioLogd);
+int virSecurityManagerSetTPMLabels(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm);
+
+int virSecurityManagerRestoreTPMLabels(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm);
+
#endif /* VIR_SECURITY_MANAGER_H__ */
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 92e84155d1..6377fb7947 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3048,6 +3048,167 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr,
return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
}
+
+/*
+ * _virSecuritySELinuxSetFileLabels:
+ *
+ * @mgr: the virSecurityManager
+ * @path: path to a directory or a file
+ * @seclabel: the security label
+ *
+ * Set the file labels on the given path; if the path is a directory
+ * we label all files found there, including the directory itself,
+ * otherwise we just label the file.
+ */
+static int
+_virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
+ const char *path,
+ virSecurityLabelDefPtr seclabel)
+{
+ int ret = 0;
+ struct dirent *ent;
+ char *filename = NULL;
+ DIR *dir;
+
+ if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel)))
+ return ret;
+
+ if (!virFileIsDir(path))
+ return 0;
+
+ if (virDirOpen(&dir, path) < 0)
+ return -1;
+
+ while ((ret = virDirRead(dir, &ent, path)) > 0) {
+ if (ent->d_type != DT_REG)
+ continue;
+
+ if (virAsprintf(&filename, "%s/%s", path, ent->d_name) < 0) {
+ ret = -1;
+ break;
+ }
+ ret = virSecuritySELinuxSetFilecon(mgr, filename,
+ seclabel->imagelabel);
+ VIR_FREE(filename);
+ if (ret < 0)
+ break;
+ }
+ if (ret < 0)
+ virReportSystemError(errno, _("Unable to label files under %s"),
+ path);
+
+ virDirClose(&dir);
+
+ return ret;
+}
+
+
+/*
+ * _virSecuritySELinuxRestoreFileLabels:
+ *
+ * @mgr: the virSecurityManager
+ * @path: path to a directory or a file
+ *
+ * Restore the file labels on the given path; if the path is a directory
+ * we restore all file labels found there, including the label of the
+ * directory itself, otherwise we just restore the label on the file.
+ */
+static int
+_virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
+ const char *path)
+{
+ int ret = 0;
+ struct dirent *ent;
+ char *filename = NULL;
+ DIR *dir;
+
+ if ((ret = virSecuritySELinuxRestoreFileLabel(mgr, path)))
+ return ret;
+
+ if (!virFileIsDir(path))
+ return 0;
+
+ if (virDirOpen(&dir, path) < 0)
+ return -1;
+
+ while ((ret = virDirRead(dir, &ent, path)) > 0) {
+ if (ent->d_type != DT_REG)
+ continue;
+
+ if (virAsprintf(&filename, "%s/%s", path, ent->d_name) < 0) {
+ ret = -1;
+ break;
+ }
+ ret = virSecuritySELinuxRestoreFileLabel(mgr, filename);
+ VIR_FREE(filename);
+ if (ret < 0)
+ break;
+ }
+ if (ret < 0)
+ virReportSystemError(errno, _("Unable to restore file labels under %s"),
+ path);
+
+ virDirClose(&dir);
+
+ return ret;
+}
+
+
+static int
+virSecuritySELinuxSetTPMLabels(virSecurityManagerPtr mgr,
+ virDomainDefPtr def)
+{
+ int ret = 0;
+ virSecurityLabelDefPtr seclabel;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (seclabel == NULL)
+ return 0;
+
+ switch (def->tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ break;
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ ret = _virSecuritySELinuxSetFileLabels(
+ mgr, def->tpm->data.emulator.storagepath,
+ seclabel);
+ if (ret == 0 && def->tpm->data.emulator.logfile)
+ ret = _virSecuritySELinuxSetFileLabels(
+ mgr, def->tpm->data.emulator.logfile,
+ seclabel);
+ break;
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+
+ return ret;
+}
+
+
+static int
+virSecuritySELinuxRestoreTPMLabels(virSecurityManagerPtr mgr,
+ virDomainDefPtr def)
+{
+ int ret = 0;
+
+ switch (def->tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ break;
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ ret = _virSecuritySELinuxRestoreFileLabels(
+ mgr, def->tpm->data.emulator.storagepath);
+ if (ret == 0 && def->tpm->data.emulator.logfile)
+ ret = _virSecuritySELinuxRestoreFileLabels(
+ mgr, def->tpm->data.emulator.logfile);
+ break;
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+
+ return ret;
+}
+
+
virSecurityDriver virSecurityDriverSELinux = {
.privateDataLen = sizeof(virSecuritySELinuxData),
.name = SECURITY_SELINUX_NAME,
@@ -3107,4 +3268,7 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainSetSecurityChardevLabel = virSecuritySELinuxSetChardevLabel,
.domainRestoreSecurityChardevLabel = virSecuritySELinuxRestoreChardevLabel,
+
+ .domainSetSecurityTPMLabels = virSecuritySELinuxSetTPMLabels,
+ .domainRestoreSecurityTPMLabels = virSecuritySELinuxRestoreTPMLabels,
};
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 9615f9f972..e37a681293 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -760,6 +760,43 @@ virSecurityStackDomainRestoreChardevLabel(virSecurityManagerPtr mgr,
return rc;
}
+
+static int
+virSecurityStackSetTPMLabels(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerSetTPMLabels(item->securityManager,
+ vm) < 0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
+
+static int
+virSecurityStackRestoreTPMLabels(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerRestoreTPMLabels(item->securityManager,
+ vm) < 0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
+
virSecurityDriver virSecurityDriverStack = {
.privateDataLen = sizeof(virSecurityStackData),
.name = "stack",
@@ -822,4 +859,7 @@ virSecurityDriver virSecurityDriverStack = {
.domainSetSecurityChardevLabel = virSecurityStackDomainSetChardevLabel,
.domainRestoreSecurityChardevLabel = virSecurityStackDomainRestoreChardevLabel,
+
+ .domainSetSecurityTPMLabels = virSecurityStackSetTPMLabels,
+ .domainRestoreSecurityTPMLabels = virSecurityStackRestoreTPMLabels,
};
--
2.14.3
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On 05/15/2018 08:26 PM, Stefan Berger wrote: > In this patch we label the swtpm process with SELinux labels. We give it the > same label as the QEMU process has. We label its state directory and files > as well. We restore the old security labels once the swtpm has terminated. > > The file and process labels now look as follows: > > Directory: /var/lib/libvirt/swtpm > > [root@localhost swtpm]# ls -lZ > total 4 > rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm > > [root@localhost testvm]# ls -lZ > total 8 > -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall > > The log in /var/log/swtpm/libvirt/qemu is labeled as follows: > > -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log > > [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep > system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log > > [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep > system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] > > Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> > --- > src/libvirt_private.syms | 2 + > src/qemu/qemu_security.c | 69 +++++++++++++++++ > src/qemu/qemu_security.h | 11 +++ > src/qemu/qemu_tpm.c | 12 ++- > src/security/security_driver.h | 7 ++ > src/security/security_manager.c | 36 +++++++++ > src/security/security_manager.h | 6 ++ > src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++ > src/security/security_stack.c | 40 ++++++++++ > 9 files changed, 345 insertions(+), 2 deletions(-) > Reviewed-by: John Ferlan <jferlan@redhat.com> John -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 05/21/2018 06:33 PM, John Ferlan wrote: > > On 05/15/2018 08:26 PM, Stefan Berger wrote: >> In this patch we label the swtpm process with SELinux labels. We give it the >> same label as the QEMU process has. We label its state directory and files >> as well. We restore the old security labels once the swtpm has terminated. >> >> The file and process labels now look as follows: >> >> Directory: /var/lib/libvirt/swtpm >> >> [root@localhost swtpm]# ls -lZ >> total 4 >> rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm >> >> [root@localhost testvm]# ls -lZ >> total 8 >> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall >> >> The log in /var/log/swtpm/libvirt/qemu is labeled as follows: >> >> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log >> >> [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep >> system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log >> >> [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep >> system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] >> >> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> >> --- >> src/libvirt_private.syms | 2 + >> src/qemu/qemu_security.c | 69 +++++++++++++++++ >> src/qemu/qemu_security.h | 11 +++ >> src/qemu/qemu_tpm.c | 12 ++- >> src/security/security_driver.h | 7 ++ >> src/security/security_manager.c | 36 +++++++++ >> src/security/security_manager.h | 6 ++ >> src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++ >> src/security/security_stack.c | 40 ++++++++++ >> 9 files changed, 345 insertions(+), 2 deletions(-) >> > Reviewed-by: John Ferlan <jferlan@redhat.com> Thanks. This patch here obviously solves the issue for SELinux. I have in the meantime worked on a Ubuntu system with AppArmor and would follow up with AppArmor related patches. The issue is, if AppArmor is active, the swtpm will not start at this point. This additional patch set will fix this then. The problem is primarily related to the call to virSecurityManagerSetChildProcessLabel(), which does what we/I want for the swtpm process under SELinux but is not suitable for the swtpm process under AppArmor. There it would apply an AppArmor profile for QEMU to the swtpm process, which is probably not what we want. With the paths to log file, PID file etc. accepted, we can extend the libvirtd AppArmor profile with a swtpm subprofile to switch to from the libvirt profile during the execve(). Stefan > > John > -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2025 Red Hat, Inc.