render / rpms / libvirt

Forked from rpms/libvirt 11 months ago
Clone
032100
From 6b11a6113bb62c9280de3122f223a7a7a1be04ba Mon Sep 17 00:00:00 2001
032100
Message-Id: <6b11a6113bb62c9280de3122f223a7a7a1be04ba@dist-git>
032100
From: Michal Privoznik <mprivozn@redhat.com>
032100
Date: Wed, 21 Sep 2022 15:56:13 +0200
032100
Subject: [PATCH] security_selinux: Don't ignore NVMe disks when setting image
032100
 label
032100
032100
For NVMe disks we skip setting SELinux label on corresponding
032100
VFIO group (/dev/vfio/X). This bug is only visible with
032100
namespaces and goes as follows:
032100
032100
1) libvirt assigns NVMe disk to vfio-pci driver,
032100
2) kernel creates /dev/vfio/X node with generic device_t SELinux
032100
   label,
032100
3) our namespace code creates the exact copy of the node in
032100
   domain's private /dev,
032100
4) SELinux policy kicks in an changes the label on the node to
032100
   vfio_device_t (in the top most namespace),
032100
5) libvirt tells QEMU to attach the NVMe disk, which is denied by
032100
   SELinux policy.
032100
032100
While one can argue that kernel should have created the
032100
/dev/vfio/X node with the correct SELinux label from the
032100
beginning (step 2), libvirt can't rely on that and needs to set
032100
label on its own.
032100
032100
Surprisingly, I already wrote the code that aims on this specific
032100
case (v6.0.0-rc1~241), but because of a shortcut we take earlier
032100
it is never ran. The reason is that
032100
virStorageSourceIsLocalStorage() considers NVMe disks as
032100
non-local because their source is not accessible via src->path
032100
(or even if it is, it's not a local path).
032100
032100
Therefore, do not exit early for NVMe disks and let the function
032100
continue.
032100
032100
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2121441
032100
Fixes: 284a12bae0e4cf93ea72797965d6c12e3a103f40
032100
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
032100
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
032100
(cherry picked from commit 68e93e3180ad4e51bf9f86850dc86d8f528d6564)
032100
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
032100
---
032100
 src/security/security_selinux.c | 6 +++++-
032100
 1 file changed, 5 insertions(+), 1 deletion(-)
032100
032100
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
032100
index e2f34a27dc..6cd3e845fd 100644
032100
--- a/src/security/security_selinux.c
032100
+++ b/src/security/security_selinux.c
032100
@@ -1818,7 +1818,11 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
032100
     const char *path = src->path;
032100
     int ret;
032100
 
032100
-    if (!src->path || !virStorageSourceIsLocalStorage(src))
032100
+    /* Special case NVMe. Per virStorageSourceIsLocalStorage() it's
032100
+     * considered not local, but we still want the code below to set
032100
+     * label on VFIO group. */
032100
+    if (src->type != VIR_STORAGE_TYPE_NVME &&
032100
+        (!src->path || !virStorageSourceIsLocalStorage(src)))
032100
         return 0;
032100
 
032100
     secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
032100
-- 
032100
2.37.3
032100