|
|
c1c534 |
From 52568bd61d6fcf0ac32fea4db57527f9fe28c9a5 Mon Sep 17 00:00:00 2001
|
|
|
c1c534 |
Message-Id: <52568bd61d6fcf0ac32fea4db57527f9fe28c9a5@dist-git>
|
|
|
c1c534 |
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
|
|
|
c1c534 |
Date: Mon, 27 Nov 2017 14:20:59 +0100
|
|
|
c1c534 |
Subject: [PATCH] security: Introduce functions for input device hot(un)plug
|
|
|
c1c534 |
MIME-Version: 1.0
|
|
|
c1c534 |
Content-Type: text/plain; charset=UTF-8
|
|
|
c1c534 |
Content-Transfer-Encoding: 8bit
|
|
|
c1c534 |
|
|
|
c1c534 |
Export the existing DAC and SELinux for separate use and introduce
|
|
|
c1c534 |
functions for stack, nop and the security manager.
|
|
|
c1c534 |
|
|
|
c1c534 |
(cherry picked from commit d8116b5a0a6364b29e9774323d9aa442ad8c561d)
|
|
|
c1c534 |
|
|
|
c1c534 |
https://bugzilla.redhat.com/show_bug.cgi?id=1509866
|
|
|
c1c534 |
|
|
|
c1c534 |
Signed-off-by: Ján Tomko <jtomko@redhat.com>
|
|
|
c1c534 |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
c1c534 |
---
|
|
|
c1c534 |
src/libvirt_private.syms | 2 ++
|
|
|
c1c534 |
src/security/security_dac.c | 3 +++
|
|
|
c1c534 |
src/security/security_driver.h | 9 +++++++++
|
|
|
c1c534 |
src/security/security_manager.c | 36 ++++++++++++++++++++++++++++++++++++
|
|
|
c1c534 |
src/security/security_manager.h | 8 ++++++++
|
|
|
c1c534 |
src/security/security_nop.c | 11 +++++++++++
|
|
|
c1c534 |
src/security/security_selinux.c | 3 +++
|
|
|
c1c534 |
src/security/security_stack.c | 38 ++++++++++++++++++++++++++++++++++++++
|
|
|
c1c534 |
8 files changed, 110 insertions(+)
|
|
|
c1c534 |
|
|
|
c1c534 |
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
|
|
|
c1c534 |
index 3e0bc8730c..65b1143c9b 100644
|
|
|
c1c534 |
--- a/src/libvirt_private.syms
|
|
|
c1c534 |
+++ b/src/libvirt_private.syms
|
|
|
c1c534 |
@@ -1267,6 +1267,7 @@ virSecurityManagerRestoreAllLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreDiskLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreHostdevLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreImageLabel;
|
|
|
c1c534 |
+virSecurityManagerRestoreInputLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreMemoryLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreSavedStateLabel;
|
|
|
c1c534 |
virSecurityManagerSetAllLabel;
|
|
|
c1c534 |
@@ -1276,6 +1277,7 @@ virSecurityManagerSetDiskLabel;
|
|
|
c1c534 |
virSecurityManagerSetHostdevLabel;
|
|
|
c1c534 |
virSecurityManagerSetImageFDLabel;
|
|
|
c1c534 |
virSecurityManagerSetImageLabel;
|
|
|
c1c534 |
+virSecurityManagerSetInputLabel;
|
|
|
c1c534 |
virSecurityManagerSetMemoryLabel;
|
|
|
c1c534 |
virSecurityManagerSetProcessLabel;
|
|
|
c1c534 |
virSecurityManagerSetSavedStateLabel;
|
|
|
c1c534 |
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
|
|
c1c534 |
index 244b300a9f..24d9264216 100644
|
|
|
c1c534 |
--- a/src/security/security_dac.c
|
|
|
c1c534 |
+++ b/src/security/security_dac.c
|
|
|
c1c534 |
@@ -2103,6 +2103,9 @@ virSecurityDriver virSecurityDriverDAC = {
|
|
|
c1c534 |
.domainSetSecurityMemoryLabel = virSecurityDACSetMemoryLabel,
|
|
|
c1c534 |
.domainRestoreSecurityMemoryLabel = virSecurityDACRestoreMemoryLabel,
|
|
|
c1c534 |
|
|
|
c1c534 |
+ .domainSetSecurityInputLabel = virSecurityDACSetInputLabel,
|
|
|
c1c534 |
+ .domainRestoreSecurityInputLabel = virSecurityDACRestoreInputLabel,
|
|
|
c1c534 |
+
|
|
|
c1c534 |
.domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
|
|
|
c1c534 |
.domainSetSecuritySocketLabel = virSecurityDACSetSocketLabel,
|
|
|
c1c534 |
.domainClearSecuritySocketLabel = virSecurityDACClearSocketLabel,
|
|
|
c1c534 |
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
|
|
|
c1c534 |
index 0b3b452486..1b3070d06d 100644
|
|
|
c1c534 |
--- a/src/security/security_driver.h
|
|
|
c1c534 |
+++ b/src/security/security_driver.h
|
|
|
c1c534 |
@@ -131,6 +131,12 @@ typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virDomainDefPtr def,
|
|
|
c1c534 |
virDomainMemoryDefPtr mem);
|
|
|
c1c534 |
+typedef int (*virSecurityDomainSetInputLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainInputDefPtr input);
|
|
|
c1c534 |
+typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainInputDefPtr input);
|
|
|
c1c534 |
typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virDomainDefPtr def,
|
|
|
c1c534 |
const char *path);
|
|
|
c1c534 |
@@ -163,6 +169,9 @@ struct _virSecurityDriver {
|
|
|
c1c534 |
virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
|
|
|
c1c534 |
virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
|
|
|
c1c534 |
|
|
|
c1c534 |
+ virSecurityDomainSetInputLabel domainSetSecurityInputLabel;
|
|
|
c1c534 |
+ virSecurityDomainRestoreInputLabel domainRestoreSecurityInputLabel;
|
|
|
c1c534 |
+
|
|
|
c1c534 |
virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
|
|
|
c1c534 |
virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
|
|
|
c1c534 |
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
|
|
|
c1c534 |
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
|
|
|
c1c534 |
index 60cfc92e77..3cf12188a0 100644
|
|
|
c1c534 |
--- a/src/security/security_manager.c
|
|
|
c1c534 |
+++ b/src/security/security_manager.c
|
|
|
c1c534 |
@@ -1116,3 +1116,39 @@ virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virReportUnsupportedError();
|
|
|
c1c534 |
return -1;
|
|
|
c1c534 |
}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+int
|
|
|
c1c534 |
+virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr vm,
|
|
|
c1c534 |
+ virDomainInputDefPtr input)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ if (mgr->drv->domainSetSecurityInputLabel) {
|
|
|
c1c534 |
+ int ret;
|
|
|
c1c534 |
+ virObjectLock(mgr);
|
|
|
c1c534 |
+ ret = mgr->drv->domainSetSecurityInputLabel(mgr, vm, input);
|
|
|
c1c534 |
+ virObjectUnlock(mgr);
|
|
|
c1c534 |
+ return ret;
|
|
|
c1c534 |
+ }
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ virReportUnsupportedError();
|
|
|
c1c534 |
+ return -1;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+int
|
|
|
c1c534 |
+virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr vm,
|
|
|
c1c534 |
+ virDomainInputDefPtr input)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ if (mgr->drv->domainRestoreSecurityInputLabel) {
|
|
|
c1c534 |
+ int ret;
|
|
|
c1c534 |
+ virObjectLock(mgr);
|
|
|
c1c534 |
+ ret = mgr->drv->domainRestoreSecurityInputLabel(mgr, vm, input);
|
|
|
c1c534 |
+ virObjectUnlock(mgr);
|
|
|
c1c534 |
+ return ret;
|
|
|
c1c534 |
+ }
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ virReportUnsupportedError();
|
|
|
c1c534 |
+ return -1;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
|
|
|
c1c534 |
index 08fb89203a..87fe890692 100644
|
|
|
c1c534 |
--- a/src/security/security_manager.h
|
|
|
c1c534 |
+++ b/src/security/security_manager.h
|
|
|
c1c534 |
@@ -172,6 +172,14 @@ int virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virDomainDefPtr vm,
|
|
|
c1c534 |
virDomainMemoryDefPtr mem);
|
|
|
c1c534 |
|
|
|
c1c534 |
+int virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr vm,
|
|
|
c1c534 |
+ virDomainInputDefPtr input);
|
|
|
c1c534 |
+int virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr vm,
|
|
|
c1c534 |
+ virDomainInputDefPtr input);
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+
|
|
|
c1c534 |
int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virDomainDefPtr vm,
|
|
|
c1c534 |
const char *path);
|
|
|
c1c534 |
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
|
|
|
c1c534 |
index 527be11e5a..cfb032c686 100644
|
|
|
c1c534 |
--- a/src/security/security_nop.c
|
|
|
c1c534 |
+++ b/src/security/security_nop.c
|
|
|
c1c534 |
@@ -254,6 +254,14 @@ virSecurityDomainRestoreMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
|
|
|
c1c534 |
return 0;
|
|
|
c1c534 |
}
|
|
|
c1c534 |
|
|
|
c1c534 |
+static int
|
|
|
c1c534 |
+virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
+ virDomainInputDefPtr input ATTRIBUTE_UNUSED)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ return 0;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
|
|
|
c1c534 |
virSecurityDriver virSecurityDriverNop = {
|
|
|
c1c534 |
.privateDataLen = 0,
|
|
|
c1c534 |
@@ -276,6 +284,9 @@ virSecurityDriver virSecurityDriverNop = {
|
|
|
c1c534 |
.domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop,
|
|
|
c1c534 |
.domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop,
|
|
|
c1c534 |
|
|
|
c1c534 |
+ .domainSetSecurityInputLabel = virSecurityDomainInputLabelNop,
|
|
|
c1c534 |
+ .domainRestoreSecurityInputLabel = virSecurityDomainInputLabelNop,
|
|
|
c1c534 |
+
|
|
|
c1c534 |
.domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
|
|
|
c1c534 |
.domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop,
|
|
|
c1c534 |
.domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop,
|
|
|
c1c534 |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
c1c534 |
index cd3e411931..d44de72e02 100644
|
|
|
c1c534 |
--- a/src/security/security_selinux.c
|
|
|
c1c534 |
+++ b/src/security/security_selinux.c
|
|
|
c1c534 |
@@ -3058,6 +3058,9 @@ virSecurityDriver virSecurityDriverSELinux = {
|
|
|
c1c534 |
.domainSetSecurityMemoryLabel = virSecuritySELinuxSetMemoryLabel,
|
|
|
c1c534 |
.domainRestoreSecurityMemoryLabel = virSecuritySELinuxRestoreMemoryLabel,
|
|
|
c1c534 |
|
|
|
c1c534 |
+ .domainSetSecurityInputLabel = virSecuritySELinuxSetInputLabel,
|
|
|
c1c534 |
+ .domainRestoreSecurityInputLabel = virSecuritySELinuxRestoreInputLabel,
|
|
|
c1c534 |
+
|
|
|
c1c534 |
.domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
|
|
|
c1c534 |
.domainSetSecuritySocketLabel = virSecuritySELinuxSetSocketLabel,
|
|
|
c1c534 |
.domainClearSecuritySocketLabel = virSecuritySELinuxClearSocketLabel,
|
|
|
c1c534 |
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
|
|
|
c1c534 |
index 53eee1692f..cd916382b2 100644
|
|
|
c1c534 |
--- a/src/security/security_stack.c
|
|
|
c1c534 |
+++ b/src/security/security_stack.c
|
|
|
c1c534 |
@@ -666,6 +666,41 @@ virSecurityStackRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
return rc;
|
|
|
c1c534 |
}
|
|
|
c1c534 |
|
|
|
c1c534 |
+static int
|
|
|
c1c534 |
+virSecurityStackSetInputLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr vm,
|
|
|
c1c534 |
+ virDomainInputDefPtr input)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
|
|
c1c534 |
+ virSecurityStackItemPtr item = priv->itemsHead;
|
|
|
c1c534 |
+ int rc = 0;
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ for (; item; item = item->next) {
|
|
|
c1c534 |
+ if (virSecurityManagerSetInputLabel(item->securityManager, vm, input) < 0)
|
|
|
c1c534 |
+ rc = -1;
|
|
|
c1c534 |
+ }
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ return rc;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+static int
|
|
|
c1c534 |
+virSecurityStackRestoreInputLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr vm,
|
|
|
c1c534 |
+ virDomainInputDefPtr input)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
|
|
c1c534 |
+ virSecurityStackItemPtr item = priv->itemsHead;
|
|
|
c1c534 |
+ int rc = 0;
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ for (; item; item = item->next) {
|
|
|
c1c534 |
+ if (virSecurityManagerRestoreInputLabel(item->securityManager,
|
|
|
c1c534 |
+ vm, input) < 0)
|
|
|
c1c534 |
+ rc = -1;
|
|
|
c1c534 |
+ }
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ return rc;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
static int
|
|
|
c1c534 |
virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virDomainDefPtr vm,
|
|
|
c1c534 |
@@ -711,6 +746,9 @@ virSecurityDriver virSecurityDriverStack = {
|
|
|
c1c534 |
.domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel,
|
|
|
c1c534 |
.domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel,
|
|
|
c1c534 |
|
|
|
c1c534 |
+ .domainSetSecurityInputLabel = virSecurityStackSetInputLabel,
|
|
|
c1c534 |
+ .domainRestoreSecurityInputLabel = virSecurityStackRestoreInputLabel,
|
|
|
c1c534 |
+
|
|
|
c1c534 |
.domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
|
|
|
c1c534 |
.domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel,
|
|
|
c1c534 |
.domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel,
|
|
|
c1c534 |
--
|
|
|
c1c534 |
2.15.1
|
|
|
c1c534 |
|