|
|
032100 |
From 6b11a6113bb62c9280de3122f223a7a7a1be04ba Mon Sep 17 00:00:00 2001
|
|
|
032100 |
Message-Id: <6b11a6113bb62c9280de3122f223a7a7a1be04ba@dist-git>
|
|
|
032100 |
From: Michal Privoznik <mprivozn@redhat.com>
|
|
|
032100 |
Date: Wed, 21 Sep 2022 15:56:13 +0200
|
|
|
032100 |
Subject: [PATCH] security_selinux: Don't ignore NVMe disks when setting image
|
|
|
032100 |
label
|
|
|
032100 |
|
|
|
032100 |
For NVMe disks we skip setting SELinux label on corresponding
|
|
|
032100 |
VFIO group (/dev/vfio/X). This bug is only visible with
|
|
|
032100 |
namespaces and goes as follows:
|
|
|
032100 |
|
|
|
032100 |
1) libvirt assigns NVMe disk to vfio-pci driver,
|
|
|
032100 |
2) kernel creates /dev/vfio/X node with generic device_t SELinux
|
|
|
032100 |
label,
|
|
|
032100 |
3) our namespace code creates the exact copy of the node in
|
|
|
032100 |
domain's private /dev,
|
|
|
032100 |
4) SELinux policy kicks in an changes the label on the node to
|
|
|
032100 |
vfio_device_t (in the top most namespace),
|
|
|
032100 |
5) libvirt tells QEMU to attach the NVMe disk, which is denied by
|
|
|
032100 |
SELinux policy.
|
|
|
032100 |
|
|
|
032100 |
While one can argue that kernel should have created the
|
|
|
032100 |
/dev/vfio/X node with the correct SELinux label from the
|
|
|
032100 |
beginning (step 2), libvirt can't rely on that and needs to set
|
|
|
032100 |
label on its own.
|
|
|
032100 |
|
|
|
032100 |
Surprisingly, I already wrote the code that aims on this specific
|
|
|
032100 |
case (v6.0.0-rc1~241), but because of a shortcut we take earlier
|
|
|
032100 |
it is never ran. The reason is that
|
|
|
032100 |
virStorageSourceIsLocalStorage() considers NVMe disks as
|
|
|
032100 |
non-local because their source is not accessible via src->path
|
|
|
032100 |
(or even if it is, it's not a local path).
|
|
|
032100 |
|
|
|
032100 |
Therefore, do not exit early for NVMe disks and let the function
|
|
|
032100 |
continue.
|
|
|
032100 |
|
|
|
032100 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2121441
|
|
|
032100 |
Fixes: 284a12bae0e4cf93ea72797965d6c12e3a103f40
|
|
|
032100 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
032100 |
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
|
|
|
032100 |
(cherry picked from commit 68e93e3180ad4e51bf9f86850dc86d8f528d6564)
|
|
|
032100 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
032100 |
---
|
|
|
032100 |
src/security/security_selinux.c | 6 +++++-
|
|
|
032100 |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
032100 |
|
|
|
032100 |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
032100 |
index e2f34a27dc..6cd3e845fd 100644
|
|
|
032100 |
--- a/src/security/security_selinux.c
|
|
|
032100 |
+++ b/src/security/security_selinux.c
|
|
|
032100 |
@@ -1818,7 +1818,11 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
|
|
|
032100 |
const char *path = src->path;
|
|
|
032100 |
int ret;
|
|
|
032100 |
|
|
|
032100 |
- if (!src->path || !virStorageSourceIsLocalStorage(src))
|
|
|
032100 |
+ /* Special case NVMe. Per virStorageSourceIsLocalStorage() it's
|
|
|
032100 |
+ * considered not local, but we still want the code below to set
|
|
|
032100 |
+ * label on VFIO group. */
|
|
|
032100 |
+ if (src->type != VIR_STORAGE_TYPE_NVME &&
|
|
|
032100 |
+ (!src->path || !virStorageSourceIsLocalStorage(src)))
|
|
|
032100 |
return 0;
|
|
|
032100 |
|
|
|
032100 |
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
|
|
032100 |
--
|
|
|
032100 |
2.37.3
|
|
|
032100 |
|