|
|
edecca |
From a95511a2d1f6be0e63af0dc001a92bcb7869d3f8 Mon Sep 17 00:00:00 2001
|
|
|
edecca |
Message-Id: <a95511a2d1f6be0e63af0dc001a92bcb7869d3f8@dist-git>
|
|
|
edecca |
From: Erik Skultety <eskultet@redhat.com>
|
|
|
edecca |
Date: Fri, 1 Feb 2019 17:21:57 +0100
|
|
|
edecca |
Subject: [PATCH] security: dac: Relabel /dev/sev in the namespace
|
|
|
edecca |
MIME-Version: 1.0
|
|
|
edecca |
Content-Type: text/plain; charset=UTF-8
|
|
|
edecca |
Content-Transfer-Encoding: 8bit
|
|
|
edecca |
|
|
|
edecca |
The default permissions (0600 root:root) are of no use to the qemu
|
|
|
edecca |
process so we need to change the owner to qemu iff running with
|
|
|
edecca |
namespaces.
|
|
|
edecca |
|
|
|
edecca |
Signed-off-by: Erik Skultety <eskultet@redhat.com>
|
|
|
edecca |
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
edecca |
(cherry picked from commit 17f6a257f1ea484489277f4da38be914b246a30b)
|
|
|
edecca |
|
|
|
edecca |
https://bugzilla.redhat.com/show_bug.cgi?id=1665400
|
|
|
edecca |
|
|
|
edecca |
Conflicts:
|
|
|
edecca |
- virSecurityDACSetOwnership's signature had to be adjusted to
|
|
|
edecca |
match the signature of its counterpart in libvirt 4.5.0.
|
|
|
edecca |
|
|
|
edecca |
Signed-off-by: Erik Skultety <eskultet@redhat.com>
|
|
|
edecca |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
edecca |
---
|
|
|
edecca |
src/security/security_dac.c | 51 +++++++++++++++++++++++++++++++++++++
|
|
|
edecca |
1 file changed, 51 insertions(+)
|
|
|
edecca |
|
|
|
edecca |
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
|
|
edecca |
index 74c70dd092..cc86060e3f 100644
|
|
|
edecca |
--- a/src/security/security_dac.c
|
|
|
edecca |
+++ b/src/security/security_dac.c
|
|
|
edecca |
@@ -47,6 +47,7 @@
|
|
|
edecca |
VIR_LOG_INIT("security.security_dac");
|
|
|
edecca |
|
|
|
edecca |
#define SECURITY_DAC_NAME "dac"
|
|
|
edecca |
+#define DEV_SEV "/dev/sev"
|
|
|
edecca |
|
|
|
edecca |
typedef struct _virSecurityDACData virSecurityDACData;
|
|
|
edecca |
typedef virSecurityDACData *virSecurityDACDataPtr;
|
|
|
edecca |
@@ -1545,6 +1546,16 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
|
|
|
edecca |
+static int
|
|
|
edecca |
+virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
|
edecca |
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
|
|
|
edecca |
+{
|
|
|
edecca |
+ /* we only label /dev/sev when running with namespaces, so we don't need to
|
|
|
edecca |
+ * restore anything */
|
|
|
edecca |
+ return 0;
|
|
|
edecca |
+}
|
|
|
edecca |
+
|
|
|
edecca |
+
|
|
|
edecca |
static int
|
|
|
edecca |
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
|
|
edecca |
virDomainDefPtr def,
|
|
|
edecca |
@@ -1615,6 +1626,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
|
|
edecca |
rc = -1;
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
+ if (def->sev) {
|
|
|
edecca |
+ if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
|
|
|
edecca |
+ rc = -1;
|
|
|
edecca |
+ }
|
|
|
edecca |
+
|
|
|
edecca |
if (def->os.loader && def->os.loader->nvram &&
|
|
|
edecca |
virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)
|
|
|
edecca |
rc = -1;
|
|
|
edecca |
@@ -1670,6 +1686,36 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
|
|
|
edecca |
+static int
|
|
|
edecca |
+virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
|
|
|
edecca |
+ virDomainDefPtr def)
|
|
|
edecca |
+{
|
|
|
edecca |
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
|
|
edecca |
+ virSecurityLabelDefPtr seclabel;
|
|
|
edecca |
+ uid_t user;
|
|
|
edecca |
+ gid_t group;
|
|
|
edecca |
+
|
|
|
edecca |
+ /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly
|
|
|
edecca |
+ * increase the chance of a DOS attack on SEV
|
|
|
edecca |
+ */
|
|
|
edecca |
+ if (!priv->mountNamespace)
|
|
|
edecca |
+ return 0;
|
|
|
edecca |
+
|
|
|
edecca |
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
|
|
|
edecca |
+ if (seclabel && !seclabel->relabel)
|
|
|
edecca |
+ return 0;
|
|
|
edecca |
+
|
|
|
edecca |
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
|
|
|
edecca |
+ return -1;
|
|
|
edecca |
+
|
|
|
edecca |
+ if (virSecurityDACSetOwnership(priv, NULL, DEV_SEV,
|
|
|
edecca |
+ user, group) < 0)
|
|
|
edecca |
+ return -1;
|
|
|
edecca |
+
|
|
|
edecca |
+ return 0;
|
|
|
edecca |
+}
|
|
|
edecca |
+
|
|
|
edecca |
+
|
|
|
edecca |
static int
|
|
|
edecca |
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
|
|
edecca |
virDomainDefPtr def,
|
|
|
edecca |
@@ -1740,6 +1786,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
|
|
edecca |
return -1;
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
+ if (def->sev) {
|
|
|
edecca |
+ if (virSecurityDACSetSEVLabel(mgr, def) < 0)
|
|
|
edecca |
+ return -1;
|
|
|
edecca |
+ }
|
|
|
edecca |
+
|
|
|
edecca |
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
|
|
|
edecca |
return -1;
|
|
|
edecca |
|
|
|
edecca |
--
|
|
|
edecca |
2.20.1
|
|
|
edecca |
|