From a95511a2d1f6be0e63af0dc001a92bcb7869d3f8 Mon Sep 17 00:00:00 2001

Message-Id: <a95511a2d1f6be0e63af0dc001a92bcb7869d3f8@dist-git>

From: Erik Skultety <eskultet@redhat.com>

Date: Fri, 1 Feb 2019 17:21:57 +0100

Subject: [PATCH] security: dac: Relabel /dev/sev in the namespace

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

The default permissions (0600 root:root) are of no use to the qemu

process so we need to change the owner to qemu iff running with

namespaces.

Signed-off-by: Erik Skultety <eskultet@redhat.com>

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

(cherry picked from commit 17f6a257f1ea484489277f4da38be914b246a30b)

https://bugzilla.redhat.com/show_bug.cgi?id=1665400

 Conflicts:

        - virSecurityDACSetOwnership's signature had to be adjusted to

          match the signature of its counterpart in libvirt 4.5.0.

Signed-off-by: Erik Skultety <eskultet@redhat.com>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

---

 src/security/security_dac.c | 51 +++++++++++++++++++++++++++++++++++++

 1 file changed, 51 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c

index 74c70dd092..cc86060e3f 100644

--- a/src/security/security_dac.c

+++ b/src/security/security_dac.c

@@ -47,6 +47,7 @@

 VIR_LOG_INIT("security.security_dac");

 #define SECURITY_DAC_NAME "dac"

+#define DEV_SEV "/dev/sev"

 typedef struct _virSecurityDACData virSecurityDACData;

 typedef virSecurityDACData *virSecurityDACDataPtr;

@@ -1545,6 +1546,16 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,

 }

+static int

+virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,

+                              virDomainDefPtr def ATTRIBUTE_UNUSED)

+{

+    /* we only label /dev/sev when running with namespaces, so we don't need to

+     * restore anything */

+    return 0;

+}

+

+

 static int

 virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,

                               virDomainDefPtr def,

@@ -1615,6 +1626,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,

             rc = -1;

     }

+    if (def->sev) {

+        if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)

+            rc = -1;

+    }

+

     if (def->os.loader && def->os.loader->nvram &&

         virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)

         rc = -1;

@@ -1670,6 +1686,36 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,

 }

+static int

+virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,

+                          virDomainDefPtr def)

+{

+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);

+    virSecurityLabelDefPtr seclabel;

+    uid_t user;

+    gid_t group;

+

+    /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly

+     * increase the chance of a DOS attack on SEV

+     */

+    if (!priv->mountNamespace)

+        return 0;

+

+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);

+    if (seclabel && !seclabel->relabel)

+        return 0;

+

+    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)

+        return -1;

+

+    if (virSecurityDACSetOwnership(priv, NULL, DEV_SEV,

+                                   user, group) < 0)

+        return -1;

+

+    return 0;

+}

+

+

 static int

 virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,

                           virDomainDefPtr def,

@@ -1740,6 +1786,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,

             return -1;

     }

+    if (def->sev) {

+        if (virSecurityDACSetSEVLabel(mgr, def) < 0)

+            return -1;

+    }

+

     if (virSecurityDACGetImageIds(secdef, priv, &user, &group))

         return -1;

-- 

2.20.1