c1c534
From 52568bd61d6fcf0ac32fea4db57527f9fe28c9a5 Mon Sep 17 00:00:00 2001
c1c534
Message-Id: <52568bd61d6fcf0ac32fea4db57527f9fe28c9a5@dist-git>
c1c534
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
c1c534
Date: Mon, 27 Nov 2017 14:20:59 +0100
c1c534
Subject: [PATCH] security: Introduce functions for input device hot(un)plug
c1c534
MIME-Version: 1.0
c1c534
Content-Type: text/plain; charset=UTF-8
c1c534
Content-Transfer-Encoding: 8bit
c1c534
c1c534
Export the existing DAC and SELinux for separate use and introduce
c1c534
functions for stack, nop and the security manager.
c1c534
c1c534
(cherry picked from commit d8116b5a0a6364b29e9774323d9aa442ad8c561d)
c1c534
c1c534
https://bugzilla.redhat.com/show_bug.cgi?id=1509866
c1c534
c1c534
Signed-off-by: Ján Tomko <jtomko@redhat.com>
c1c534
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
c1c534
---
c1c534
 src/libvirt_private.syms        |  2 ++
c1c534
 src/security/security_dac.c     |  3 +++
c1c534
 src/security/security_driver.h  |  9 +++++++++
c1c534
 src/security/security_manager.c | 36 ++++++++++++++++++++++++++++++++++++
c1c534
 src/security/security_manager.h |  8 ++++++++
c1c534
 src/security/security_nop.c     | 11 +++++++++++
c1c534
 src/security/security_selinux.c |  3 +++
c1c534
 src/security/security_stack.c   | 38 ++++++++++++++++++++++++++++++++++++++
c1c534
 8 files changed, 110 insertions(+)
c1c534
c1c534
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
c1c534
index 3e0bc8730c..65b1143c9b 100644
c1c534
--- a/src/libvirt_private.syms
c1c534
+++ b/src/libvirt_private.syms
c1c534
@@ -1267,6 +1267,7 @@ virSecurityManagerRestoreAllLabel;
c1c534
 virSecurityManagerRestoreDiskLabel;
c1c534
 virSecurityManagerRestoreHostdevLabel;
c1c534
 virSecurityManagerRestoreImageLabel;
c1c534
+virSecurityManagerRestoreInputLabel;
c1c534
 virSecurityManagerRestoreMemoryLabel;
c1c534
 virSecurityManagerRestoreSavedStateLabel;
c1c534
 virSecurityManagerSetAllLabel;
c1c534
@@ -1276,6 +1277,7 @@ virSecurityManagerSetDiskLabel;
c1c534
 virSecurityManagerSetHostdevLabel;
c1c534
 virSecurityManagerSetImageFDLabel;
c1c534
 virSecurityManagerSetImageLabel;
c1c534
+virSecurityManagerSetInputLabel;
c1c534
 virSecurityManagerSetMemoryLabel;
c1c534
 virSecurityManagerSetProcessLabel;
c1c534
 virSecurityManagerSetSavedStateLabel;
c1c534
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
c1c534
index 244b300a9f..24d9264216 100644
c1c534
--- a/src/security/security_dac.c
c1c534
+++ b/src/security/security_dac.c
c1c534
@@ -2103,6 +2103,9 @@ virSecurityDriver virSecurityDriverDAC = {
c1c534
     .domainSetSecurityMemoryLabel       = virSecurityDACSetMemoryLabel,
c1c534
     .domainRestoreSecurityMemoryLabel   = virSecurityDACRestoreMemoryLabel,
c1c534
 
c1c534
+    .domainSetSecurityInputLabel        = virSecurityDACSetInputLabel,
c1c534
+    .domainRestoreSecurityInputLabel    = virSecurityDACRestoreInputLabel,
c1c534
+
c1c534
     .domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
c1c534
     .domainSetSecuritySocketLabel       = virSecurityDACSetSocketLabel,
c1c534
     .domainClearSecuritySocketLabel     = virSecurityDACClearSocketLabel,
c1c534
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
c1c534
index 0b3b452486..1b3070d06d 100644
c1c534
--- a/src/security/security_driver.h
c1c534
+++ b/src/security/security_driver.h
c1c534
@@ -131,6 +131,12 @@ typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
c1c534
 typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
c1c534
                                                     virDomainDefPtr def,
c1c534
                                                     virDomainMemoryDefPtr mem);
c1c534
+typedef int (*virSecurityDomainSetInputLabel) (virSecurityManagerPtr mgr,
c1c534
+                                               virDomainDefPtr def,
c1c534
+                                               virDomainInputDefPtr input);
c1c534
+typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
c1c534
+                                                   virDomainDefPtr def,
c1c534
+                                                   virDomainInputDefPtr input);
c1c534
 typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
c1c534
                                               virDomainDefPtr def,
c1c534
                                               const char *path);
c1c534
@@ -163,6 +169,9 @@ struct _virSecurityDriver {
c1c534
     virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
c1c534
     virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
c1c534
 
c1c534
+    virSecurityDomainSetInputLabel domainSetSecurityInputLabel;
c1c534
+    virSecurityDomainRestoreInputLabel domainRestoreSecurityInputLabel;
c1c534
+
c1c534
     virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
c1c534
     virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
c1c534
     virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
c1c534
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
c1c534
index 60cfc92e77..3cf12188a0 100644
c1c534
--- a/src/security/security_manager.c
c1c534
+++ b/src/security/security_manager.c
c1c534
@@ -1116,3 +1116,39 @@ virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
c1c534
     virReportUnsupportedError();
c1c534
     return -1;
c1c534
 }
c1c534
+
c1c534
+
c1c534
+int
c1c534
+virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
c1c534
+                                virDomainDefPtr vm,
c1c534
+                                virDomainInputDefPtr input)
c1c534
+{
c1c534
+    if (mgr->drv->domainSetSecurityInputLabel) {
c1c534
+        int ret;
c1c534
+        virObjectLock(mgr);
c1c534
+        ret = mgr->drv->domainSetSecurityInputLabel(mgr, vm, input);
c1c534
+        virObjectUnlock(mgr);
c1c534
+        return ret;
c1c534
+    }
c1c534
+
c1c534
+    virReportUnsupportedError();
c1c534
+    return -1;
c1c534
+}
c1c534
+
c1c534
+
c1c534
+int
c1c534
+virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
c1c534
+                                    virDomainDefPtr vm,
c1c534
+                                    virDomainInputDefPtr input)
c1c534
+{
c1c534
+    if (mgr->drv->domainRestoreSecurityInputLabel) {
c1c534
+        int ret;
c1c534
+        virObjectLock(mgr);
c1c534
+        ret = mgr->drv->domainRestoreSecurityInputLabel(mgr, vm, input);
c1c534
+        virObjectUnlock(mgr);
c1c534
+        return ret;
c1c534
+    }
c1c534
+
c1c534
+    virReportUnsupportedError();
c1c534
+    return -1;
c1c534
+}
c1c534
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
c1c534
index 08fb89203a..87fe890692 100644
c1c534
--- a/src/security/security_manager.h
c1c534
+++ b/src/security/security_manager.h
c1c534
@@ -172,6 +172,14 @@ int virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
c1c534
                                         virDomainDefPtr vm,
c1c534
                                         virDomainMemoryDefPtr mem);
c1c534
 
c1c534
+int virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
c1c534
+                                    virDomainDefPtr vm,
c1c534
+                                    virDomainInputDefPtr input);
c1c534
+int virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
c1c534
+                                        virDomainDefPtr vm,
c1c534
+                                        virDomainInputDefPtr input);
c1c534
+
c1c534
+
c1c534
 int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
c1c534
                                          virDomainDefPtr vm,
c1c534
                                          const char *path);
c1c534
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
c1c534
index 527be11e5a..cfb032c686 100644
c1c534
--- a/src/security/security_nop.c
c1c534
+++ b/src/security/security_nop.c
c1c534
@@ -254,6 +254,14 @@ virSecurityDomainRestoreMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
c1c534
     return 0;
c1c534
 }
c1c534
 
c1c534
+static int
c1c534
+virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
c1c534
+                               virDomainDefPtr def ATTRIBUTE_UNUSED,
c1c534
+                               virDomainInputDefPtr input ATTRIBUTE_UNUSED)
c1c534
+{
c1c534
+    return 0;
c1c534
+}
c1c534
+
c1c534
 
c1c534
 virSecurityDriver virSecurityDriverNop = {
c1c534
     .privateDataLen                     = 0,
c1c534
@@ -276,6 +284,9 @@ virSecurityDriver virSecurityDriverNop = {
c1c534
     .domainSetSecurityMemoryLabel       = virSecurityDomainSetMemoryLabelNop,
c1c534
     .domainRestoreSecurityMemoryLabel   = virSecurityDomainRestoreMemoryLabelNop,
c1c534
 
c1c534
+    .domainSetSecurityInputLabel        = virSecurityDomainInputLabelNop,
c1c534
+    .domainRestoreSecurityInputLabel    = virSecurityDomainInputLabelNop,
c1c534
+
c1c534
     .domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
c1c534
     .domainSetSecuritySocketLabel       = virSecurityDomainSetSocketLabelNop,
c1c534
     .domainClearSecuritySocketLabel     = virSecurityDomainClearSocketLabelNop,
c1c534
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
c1c534
index cd3e411931..d44de72e02 100644
c1c534
--- a/src/security/security_selinux.c
c1c534
+++ b/src/security/security_selinux.c
c1c534
@@ -3058,6 +3058,9 @@ virSecurityDriver virSecurityDriverSELinux = {
c1c534
     .domainSetSecurityMemoryLabel       = virSecuritySELinuxSetMemoryLabel,
c1c534
     .domainRestoreSecurityMemoryLabel   = virSecuritySELinuxRestoreMemoryLabel,
c1c534
 
c1c534
+    .domainSetSecurityInputLabel        = virSecuritySELinuxSetInputLabel,
c1c534
+    .domainRestoreSecurityInputLabel    = virSecuritySELinuxRestoreInputLabel,
c1c534
+
c1c534
     .domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
c1c534
     .domainSetSecuritySocketLabel       = virSecuritySELinuxSetSocketLabel,
c1c534
     .domainClearSecuritySocketLabel     = virSecuritySELinuxClearSocketLabel,
c1c534
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
c1c534
index 53eee1692f..cd916382b2 100644
c1c534
--- a/src/security/security_stack.c
c1c534
+++ b/src/security/security_stack.c
c1c534
@@ -666,6 +666,41 @@ virSecurityStackRestoreMemoryLabel(virSecurityManagerPtr mgr,
c1c534
     return rc;
c1c534
 }
c1c534
 
c1c534
+static int
c1c534
+virSecurityStackSetInputLabel(virSecurityManagerPtr mgr,
c1c534
+                              virDomainDefPtr vm,
c1c534
+                              virDomainInputDefPtr input)
c1c534
+{
c1c534
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
c1c534
+    virSecurityStackItemPtr item = priv->itemsHead;
c1c534
+    int rc = 0;
c1c534
+
c1c534
+    for (; item; item = item->next) {
c1c534
+        if (virSecurityManagerSetInputLabel(item->securityManager, vm, input) < 0)
c1c534
+            rc = -1;
c1c534
+    }
c1c534
+
c1c534
+    return rc;
c1c534
+}
c1c534
+
c1c534
+static int
c1c534
+virSecurityStackRestoreInputLabel(virSecurityManagerPtr mgr,
c1c534
+                                  virDomainDefPtr vm,
c1c534
+                                  virDomainInputDefPtr input)
c1c534
+{
c1c534
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
c1c534
+    virSecurityStackItemPtr item = priv->itemsHead;
c1c534
+    int rc = 0;
c1c534
+
c1c534
+    for (; item; item = item->next) {
c1c534
+        if (virSecurityManagerRestoreInputLabel(item->securityManager,
c1c534
+                                                vm, input) < 0)
c1c534
+            rc = -1;
c1c534
+    }
c1c534
+
c1c534
+    return rc;
c1c534
+}
c1c534
+
c1c534
 static int
c1c534
 virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
c1c534
                                    virDomainDefPtr vm,
c1c534
@@ -711,6 +746,9 @@ virSecurityDriver virSecurityDriverStack = {
c1c534
     .domainSetSecurityMemoryLabel       = virSecurityStackSetMemoryLabel,
c1c534
     .domainRestoreSecurityMemoryLabel   = virSecurityStackRestoreMemoryLabel,
c1c534
 
c1c534
+    .domainSetSecurityInputLabel        = virSecurityStackSetInputLabel,
c1c534
+    .domainRestoreSecurityInputLabel    = virSecurityStackRestoreInputLabel,
c1c534
+
c1c534
     .domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
c1c534
     .domainSetSecuritySocketLabel       = virSecurityStackSetSocketLabel,
c1c534
     .domainClearSecuritySocketLabel     = virSecurityStackClearSocketLabel,
c1c534
-- 
c1c534
2.15.1
c1c534