security_selinux.c 77.4 KB
Newer Older
1
/*
2
 * Copyright (C) 2008-2014 Red Hat, Inc.
3 4 5 6 7 8
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
O
Osier Yang 已提交
9 10 11 12 13 14
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
15
 * License along with this library.  If not, see
O
Osier Yang 已提交
16 17
 * <http://www.gnu.org/licenses/>.
 *
18 19
 * Authors:
 *     James Morris <jmorris@namei.org>
20
 *     Dan Walsh <dwalsh@redhat.com>
21 22 23 24 25 26 27 28 29
 *
 * SELinux security driver.
 */
#include <config.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
E
Eric Blake 已提交
30 31 32
#if HAVE_SELINUX_LABEL_H
# include <selinux/label.h>
#endif
33

34
#include "security_driver.h"
35
#include "security_selinux.h"
36
#include "virerror.h"
37
#include "viralloc.h"
38
#include "virlog.h"
39
#include "virpci.h"
40
#include "virusb.h"
41
#include "virscsi.h"
42
#include "virstoragefile.h"
E
Eric Blake 已提交
43
#include "virfile.h"
44
#include "virhash.h"
45
#include "virrandom.h"
46
#include "virconf.h"
47
#include "virtpm.h"
48
#include "virstring.h"
D
Daniel P. Berrange 已提交
49 50 51

#define VIR_FROM_THIS VIR_FROM_SECURITY

52 53
VIR_LOG_INIT("security.security_selinux");

54 55 56 57 58 59 60
#define MAX_CONTEXT 1024

typedef struct _virSecuritySELinuxData virSecuritySELinuxData;
typedef virSecuritySELinuxData *virSecuritySELinuxDataPtr;

struct _virSecuritySELinuxData {
    char *domain_context;
61
    char *alt_domain_context;
62 63
    char *file_context;
    char *content_context;
64
    virHashTablePtr mcs;
65
    bool skipAllLabel;
66 67 68
#if HAVE_SELINUX_LABEL_H
    struct selabel_handle *label_handle;
#endif
69 70
};

71 72 73
#define SECURITY_SELINUX_VOID_DOI       "0"
#define SECURITY_SELINUX_NAME "selinux"

74 75 76 77 78 79
static int
virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
                                                 virDomainDefPtr def,
                                                 virDomainTPMDefPtr tpm);


80 81 82
/*
 * Returns 0 on success, 1 if already reserved, or -1 on fatal error
 */
83
static int
84 85
virSecuritySELinuxMCSAdd(virSecurityManagerPtr mgr,
                         const char *mcs)
86
{
87
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
88

89 90 91 92
    if (virHashLookup(data->mcs, mcs))
        return 1;

    if (virHashAddEntry(data->mcs, mcs, (void*)0x1) < 0)
93
        return -1;
94

95 96 97
    return 0;
}

98 99 100
static void
virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
                            const char *mcs)
101
{
102 103 104
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

    virHashRemoveEntry(data->mcs, mcs);
105 106
}

107 108

static char *
109 110 111 112
virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
                          const char *sens,
                          int catMin,
                          int catMax)
113 114
{
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
115
    int catRange;
116
    char *mcs = NULL;
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137

    /* +1 since virRandomInt range is exclusive of the upper bound */
    catRange = (catMax - catMin) + 1;

    if (catRange < 8) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Category range c%d-c%d too small"),
                       catMin, catMax);
        return NULL;
    }

    VIR_DEBUG("Using sensitivity level '%s' cat min %d max %d range %d",
              sens, catMin, catMax, catRange);

    for (;;) {
        int c1 = virRandomInt(catRange);
        int c2 = virRandomInt(catRange);

        VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);

        if (c1 == c2) {
138
            if (virAsprintf(&mcs, "%s:c%d", sens, catMin + c1) < 0)
139 140 141 142 143 144 145
                return NULL;
        } else {
            if (c1 > c2) {
                int t = c1;
                c1 = c2;
                c2 = t;
            }
146
            if (virAsprintf(&mcs, "%s:c%d,c%d", sens, catMin + c1, catMin + c2) < 0)
147 148 149 150 151 152 153 154 155 156 157 158
                return NULL;
        }

        if (virHashLookup(data->mcs, mcs) == NULL)
            break;

        VIR_FREE(mcs);
    }

    return mcs;
}

159 160 161 162

/*
 * This needs to cope with several styles of range
 *
163
 * system_u:system_r:virtd_t
164 165 166 167
 * system_u:system_r:virtd_t:s0
 * system_u:system_r:virtd_t:s0-s0
 * system_u:system_r:virtd_t:s0-s0:c0.c1023
 *
168 169
 * In the first case we'll assume s0:c0.c1023 and
 * in the next two cases, we'll assume c0.c1023 for
170 171 172
 * the category part, since that's what we're really
 * interested in. This won't work in Enforcing mode,
 * but will prevent libvirtd breaking in Permissive
N
Nehal J Wani 已提交
173
 * mode when run with a weird process label.
174
 */
175 176 177 178 179
static int
virSecuritySELinuxMCSGetProcessRange(char **sens,
                                     int *catMin,
                                     int *catMax)
{
180 181
    security_context_t ourSecContext = NULL;
    context_t ourContext = NULL;
182 183
    char *cat = NULL;
    char *tmp;
184
    const char *contextRange;
185
    int ret = -1;
186

M
Martin Kletzander 已提交
187
    if (getcon_raw(&ourSecContext) < 0) {
188 189 190 191 192 193 194 195 196 197
        virReportSystemError(errno, "%s",
                             _("Unable to get current process SELinux context"));
        goto cleanup;
    }
    if (!(ourContext = context_new(ourSecContext))) {
        virReportSystemError(errno,
                             _("Unable to parse current SELinux context '%s'"),
                             ourSecContext);
        goto cleanup;
    }
198 199
    if (!(contextRange = context_range_get(ourContext)))
        contextRange = "s0";
200

201
    if (VIR_STRDUP(*sens, contextRange) < 0)
202 203
        goto cleanup;

204 205 206 207 208
    /* Find and blank out the category part (if any) */
    tmp = strchr(*sens, ':');
    if (tmp) {
        *tmp = '\0';
        cat = tmp + 1;
209 210
    }
    /* Find and blank out the sensitivity upper bound */
211
    if ((tmp = strchr(*sens, '-')))
212 213 214
        *tmp = '\0';
    /* sens now just contains the sensitivity lower bound */

215
    /* If there was no category part, just assume c0.c1023 */
216 217
    if (!cat) {
        *catMin = 0;
218
        *catMax = 1023;
219 220 221 222
        ret = 0;
        goto cleanup;
    }

223 224 225 226 227 228 229 230 231
    /* Find & extract category min */
    tmp = cat;
    if (tmp[0] != 'c') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
232
    if (virStrToLong_i(tmp, &tmp, 10, catMin) < 0) {
233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }

    /* We *must* have a pair of categories otherwise
     * there's no range to allocate VM categories from */
    if (!tmp[0]) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("No category range available"));
        goto cleanup;
    }

    /* Find & extract category max (if any) */
    if (tmp[0] != '.') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
    if (tmp[0] != 'c') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
262
    if (virStrToLong_i(tmp, &tmp, 10, catMax) < 0) {
263 264 265 266 267 268
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }

269
    ret = 0;
270

271
 cleanup:
272 273
    if (ret < 0)
        VIR_FREE(*sens);
274 275
    freecon(ourSecContext);
    context_free(ourContext);
276
    return ret;
277 278
}

279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308
static char *
virSecuritySELinuxContextAddRange(security_context_t src,
                                  security_context_t dst)
{
    char *str = NULL;
    char *ret = NULL;
    context_t srccon = NULL;
    context_t dstcon = NULL;

    if (!src || !dst)
        return ret;

    if (!(srccon = context_new(src)) || !(dstcon = context_new(dst))) {
        virReportSystemError(errno, "%s",
                             _("unable to allocate security context"));
        goto cleanup;
    }

    if (context_range_set(dstcon, context_range_get(srccon)) == -1) {
        virReportSystemError(errno,
                             _("unable to set security context range '%s'"), dst);
        goto cleanup;
    }

    if (!(str = context_str(dstcon))) {
        virReportSystemError(errno, "%s",
                             _("Unable to format SELinux context"));
        goto cleanup;
    }

309
    ignore_value(VIR_STRDUP(ret, str));
310

311
 cleanup:
312 313 314 315
    if (srccon) context_free(srccon);
    if (dstcon) context_free(dstcon);
    return ret;
}
316

317
static char *
318 319 320
virSecuritySELinuxGenNewContext(const char *basecontext,
                                const char *mcs,
                                bool isObjectContext)
321
{
322
    context_t context = NULL;
323 324
    char *ret = NULL;
    char *str;
325 326 327
    security_context_t ourSecContext = NULL;
    context_t ourContext = NULL;

328 329 330
    VIR_DEBUG("basecontext=%s mcs=%s isObjectContext=%d",
              basecontext, mcs, isObjectContext);

M
Martin Kletzander 已提交
331
    if (getcon_raw(&ourSecContext) < 0) {
332 333 334 335 336 337 338 339 340 341
        virReportSystemError(errno, "%s",
                             _("Unable to get current process SELinux context"));
        goto cleanup;
    }
    if (!(ourContext = context_new(ourSecContext))) {
        virReportSystemError(errno,
                             _("Unable to parse current SELinux context '%s'"),
                             ourSecContext);
        goto cleanup;
    }
342
    VIR_DEBUG("process=%s", ourSecContext);
343 344 345 346 347 348 349 350

    if (!(context = context_new(basecontext))) {
        virReportSystemError(errno,
                             _("Unable to parse base SELinux context '%s'"),
                             basecontext);
        goto cleanup;
    }

351 352 353 354 355 356 357 358
    if (context_user_set(context,
                         context_user_get(ourContext)) != 0) {
        virReportSystemError(errno,
                             _("Unable to set SELinux context user '%s'"),
                             context_user_get(ourContext));
        goto cleanup;
    }

359 360
    if (!isObjectContext &&
        context_role_set(context,
361 362
                         context_role_get(ourContext)) != 0) {
        virReportSystemError(errno,
363
                             _("Unable to set SELinux context role '%s'"),
364 365 366 367
                             context_role_get(ourContext));
        goto cleanup;
    }

368 369 370 371 372 373 374 375 376 377 378
    if (context_range_set(context, mcs) != 0) {
        virReportSystemError(errno,
                             _("Unable to set SELinux context MCS '%s'"),
                             mcs);
        goto cleanup;
    }
    if (!(str = context_str(context))) {
        virReportSystemError(errno, "%s",
                             _("Unable to format SELinux context"));
        goto cleanup;
    }
379
    if (VIR_STRDUP(ret, str) < 0)
380
        goto cleanup;
381
    VIR_DEBUG("Generated context '%s'",  ret);
382
 cleanup:
383 384
    freecon(ourSecContext);
    context_free(ourContext);
385 386
    context_free(context);
    return ret;
387 388
}

389

390
#ifdef HAVE_SELINUX_LXC_CONTEXTS_PATH
391
static int
392
virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
393 394 395 396 397 398 399
{
    virConfValuePtr scon = NULL;
    virConfValuePtr tcon = NULL;
    virConfValuePtr dcon = NULL;
    virConfPtr selinux_conf;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

400 401
    data->skipAllLabel = true;

402
# if HAVE_SELINUX_LABEL_H
403 404 405 406 407 408
    data->label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
    if (!data->label_handle) {
        virReportSystemError(errno, "%s",
                             _("cannot open SELinux label_handle"));
        return -1;
    }
409
# endif
410

411
    if (!(selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0)))
412
        goto error;
413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437

    scon = virConfGetValue(selinux_conf, "process");
    if (! scon || scon->type != VIR_CONF_STRING || (! scon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'process' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

    tcon = virConfGetValue(selinux_conf, "file");
    if (! tcon || tcon->type != VIR_CONF_STRING || (! tcon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

    dcon = virConfGetValue(selinux_conf, "content");
    if (! dcon || dcon->type != VIR_CONF_STRING || (! dcon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

438 439 440
    if (VIR_STRDUP(data->domain_context, scon->str) < 0 ||
        VIR_STRDUP(data->file_context, tcon->str) < 0 ||
        VIR_STRDUP(data->content_context, dcon->str) < 0)
441
        goto error;
442 443 444 445

    if (!(data->mcs = virHashCreate(10, NULL)))
        goto error;

446 447 448
    virConfFree(selinux_conf);
    return 0;

449
 error:
450
# if HAVE_SELINUX_LABEL_H
451
    selabel_close(data->label_handle);
452
    data->label_handle = NULL;
453
# endif
454 455 456 457
    virConfFree(selinux_conf);
    VIR_FREE(data->domain_context);
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);
458
    virHashFree(data->mcs);
459 460
    return -1;
}
461 462
#else
static int
463
virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
464 465 466 467 468 469
{
    virReportSystemError(ENOSYS, "%s",
                         _("libselinux does not support LXC contexts path"));
    return -1;
}
#endif
470 471 472


static int
473
virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
474
{
475 476
    char *ptr;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
477

478 479
    data->skipAllLabel = false;

480 481 482 483 484 485 486 487 488
#if HAVE_SELINUX_LABEL_H
    data->label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
    if (!data->label_handle) {
        virReportSystemError(errno, "%s",
                             _("cannot open SELinux label_handle"));
        return -1;
    }
#endif

489
    if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
490
        virReportSystemError(errno,
491
                             _("cannot read SELinux virtual domain context file '%s'"),
492
                             selinux_virtual_domain_context_path());
493
        goto error;
494 495
    }

496
    ptr = strchrnul(data->domain_context, '\n');
497
    if (ptr && *ptr == '\n') {
498
        *ptr = '\0';
499 500
        ptr++;
        if (*ptr != '\0') {
501
            if (VIR_STRDUP(data->alt_domain_context, ptr) < 0)
502 503 504 505 506 507 508 509 510
                goto error;
            ptr = strchrnul(data->alt_domain_context, '\n');
            if (ptr && *ptr == '\n')
                *ptr = '\0';
        }
    }
    VIR_DEBUG("Loaded domain context '%s', alt domain context '%s'",
              data->domain_context, NULLSTR(data->alt_domain_context));

511

512
    if (virFileReadAll(selinux_virtual_image_context_path(), 2*MAX_CONTEXT, &(data->file_context)) < 0) {
513
        virReportSystemError(errno,
514 515
                             _("cannot read SELinux virtual image context file %s"),
                             selinux_virtual_image_context_path());
516
        goto error;
517 518
    }

519 520
    ptr = strchrnul(data->file_context, '\n');
    if (ptr && *ptr == '\n') {
521
        *ptr = '\0';
522
        if (VIR_STRDUP(data->content_context, ptr + 1) < 0)
523 524 525
            goto error;
        ptr = strchrnul(data->content_context, '\n');
        if (ptr && *ptr == '\n')
526 527
            *ptr = '\0';
    }
528

529 530 531
    VIR_DEBUG("Loaded file context '%s', content context '%s'",
              data->file_context, data->content_context);

532 533 534
    if (!(data->mcs = virHashCreate(10, NULL)))
        goto error;

535
    return 0;
536

537
 error:
538 539
#if HAVE_SELINUX_LABEL_H
    selabel_close(data->label_handle);
540
    data->label_handle = NULL;
541
#endif
542
    VIR_FREE(data->domain_context);
543
    VIR_FREE(data->alt_domain_context);
544 545
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);
546
    virHashFree(data->mcs);
547
    return -1;
548 549
}

550 551

static int
552
virSecuritySELinuxInitialize(virSecurityManagerPtr mgr)
553 554 555
{
    VIR_DEBUG("SELinuxInitialize %s", virSecurityManagerGetDriver(mgr));
    if (STREQ(virSecurityManagerGetDriver(mgr),  "LXC")) {
556
        return virSecuritySELinuxLXCInitialize(mgr);
557
    } else {
558
        return virSecuritySELinuxQEMUInitialize(mgr);
559 560 561 562
    }
}


563
static int
564 565
virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
                                   virDomainDefPtr def)
566 567
{
    int rc = -1;
568
    char *mcs = NULL;
569
    char *scontext = NULL;
570
    context_t ctx = NULL;
571
    const char *range;
572 573
    virSecurityLabelDefPtr seclabel;
    virSecuritySELinuxDataPtr data;
574
    const char *baselabel;
575 576
    char *sens = NULL;
    int catMin, catMax;
577

578
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
P
Peter Krempa 已提交
579
    if (seclabel == NULL)
580
        return 0;
581 582 583 584 585 586

    data = virSecurityManagerGetPrivateData(mgr);

    VIR_DEBUG("label=%s", virSecurityManagerGetDriver(mgr));
    if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
        seclabel->label) {
P
Peter Krempa 已提交
587 588
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("security label already defined for VM"));
589
        return rc;
D
Daniel P. Berrange 已提交
590
    }
591

592
    if (seclabel->imagelabel) {
P
Peter Krempa 已提交
593 594
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("security image label already defined for VM"));
595 596 597
        return rc;
    }

598 599
    if (seclabel->model &&
        STRNEQ(seclabel->model, SECURITY_SELINUX_NAME)) {
600 601
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label model %s is not supported with selinux"),
602
                       seclabel->model);
603 604 605
        return rc;
    }

606
    VIR_DEBUG("type=%d", seclabel->type);
607

608
    switch (seclabel->type) {
609
    case VIR_DOMAIN_SECLABEL_STATIC:
610
        if (!(ctx = context_new(seclabel->label))) {
611 612
            virReportSystemError(errno,
                                 _("unable to allocate socket security context '%s'"),
613
                                 seclabel->label);
614
            return rc;
615 616
        }

P
Peter Krempa 已提交
617
        if (!(range = context_range_get(ctx))) {
618
            virReportSystemError(errno, "%s", _("unable to get selinux context range"));
619 620
            goto cleanup;
        }
621 622
        if (VIR_STRDUP(mcs, range) < 0)
            goto cleanup;
623 624 625
        break;

    case VIR_DOMAIN_SECLABEL_DYNAMIC:
626 627 628 629 630 631 632 633 634
        if (virSecuritySELinuxMCSGetProcessRange(&sens,
                                                 &catMin,
                                                 &catMax) < 0)
            goto cleanup;

        if (!(mcs = virSecuritySELinuxMCSFind(mgr,
                                              sens,
                                              catMin,
                                              catMax)))
635 636 637 638
            goto cleanup;

        if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
            goto cleanup;
639

640 641 642 643
        baselabel = seclabel->baselabel;
        if (!baselabel) {
            if (def->virtType == VIR_DOMAIN_VIRT_QEMU) {
                if (data->alt_domain_context == NULL) {
644
                    static bool warned;
645 646 647 648 649 650 651 652 653 654 655 656 657 658 659
                    if (!warned) {
                        VIR_WARN("SELinux policy does not define a domain type for QEMU TCG. "
                                 "Guest startup may be denied due to missing 'execmem' privilege "
                                 "unless the 'virt_use_execmem' policy boolean is enabled");
                        warned = true;
                    }
                    baselabel = data->domain_context;
                } else {
                    baselabel = data->alt_domain_context;
                }
            } else {
                baselabel = data->domain_context;
            }
        }

660 661
        seclabel->label = virSecuritySELinuxGenNewContext(baselabel, mcs, false);
        if (!seclabel->label)
662
            goto cleanup;
663

664 665 666
        break;

    case VIR_DOMAIN_SECLABEL_NONE:
667 668 669 670 671 672 673 674
        if (virSecuritySELinuxMCSGetProcessRange(&sens,
                                                 &catMin,
                                                 &catMax) < 0)
            goto cleanup;

        if (VIR_STRDUP(mcs, sens) < 0)
            goto cleanup;

675 676 677
        break;

    default:
678 679
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unexpected security label type '%s'"),
680
                       virDomainSeclabelTypeToString(seclabel->type));
681
        goto cleanup;
D
Daniel P. Berrange 已提交
682
    }
683

684 685 686 687 688 689
    /* always generate a image label, needed to label new objects */
    seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
                                                           mcs,
                                                           true);
    if (!seclabel->imagelabel)
        goto cleanup;
690

691
    if (!seclabel->model &&
692
        VIR_STRDUP(seclabel->model, SECURITY_SELINUX_NAME) < 0)
693
        goto cleanup;
D
Daniel P. Berrange 已提交
694

695
    rc = 0;
696

697
 cleanup:
698
    if (rc != 0) {
699 700 701 702 703 704
        if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
            VIR_FREE(seclabel->label);
        VIR_FREE(seclabel->imagelabel);
        if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
            !seclabel->baselabel)
            VIR_FREE(seclabel->model);
705 706 707 708
    }

    if (ctx)
        context_free(ctx);
D
Daniel P. Berrange 已提交
709
    VIR_FREE(scontext);
710
    VIR_FREE(mcs);
711
    VIR_FREE(sens);
712 713

    VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
714 715 716 717
              NULLSTR(seclabel->model),
              NULLSTR(seclabel->label),
              NULLSTR(seclabel->imagelabel),
              NULLSTR(seclabel->baselabel));
718

719 720 721
    return rc;
}

722
static int
723
virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
724 725
                                       virDomainDefPtr def,
                                       pid_t pid)
726 727 728 729
{
    security_context_t pctx;
    context_t ctx = NULL;
    const char *mcs;
730
    int rv;
731
    virSecurityLabelDefPtr seclabel;
732

733
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
734 735 736
    if (!seclabel ||
        seclabel->type == VIR_DOMAIN_SECLABEL_NONE ||
        seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
737 738
        return 0;

M
Martin Kletzander 已提交
739
    if (getpidcon_raw(pid, &pctx) == -1) {
740
        virReportSystemError(errno,
741
                             _("unable to get PID %d security context"), pid);
742 743 744 745
        return -1;
    }

    ctx = context_new(pctx);
746
    freecon(pctx);
747
    if (!ctx)
748
        goto error;
749 750 751

    mcs = context_range_get(ctx);
    if (!mcs)
752 753
        goto error;

754
    if ((rv = virSecuritySELinuxMCSAdd(mgr, mcs)) < 0)
755
        goto error;
756

757 758 759 760 761 762
    if (rv == 1) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("MCS level for existing domain label %s already reserved"),
                       (char*)pctx);
        goto error;
    }
763 764 765 766 767

    context_free(ctx);

    return 0;

768
 error:
769 770 771 772 773
    context_free(ctx);
    return -1;
}


774
static int
775
virSecuritySELinuxSecurityDriverProbe(const char *virtDriver)
776
{
777
    if (is_selinux_enabled() <= 0)
778 779
        return SECURITY_DRIVER_DISABLE;

780 781 782 783 784 785
    if (virtDriver && STREQ(virtDriver, "LXC")) {
#if HAVE_SELINUX_LXC_CONTEXTS_PATH
        if (!virFileExists(selinux_lxc_contexts_path()))
#endif
            return SECURITY_DRIVER_DISABLE;
    }
786 787

    return SECURITY_DRIVER_ENABLE;
788 789
}

790

791
static int
792
virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr)
793
{
794
    return virSecuritySELinuxInitialize(mgr);
795 796
}

797

798
static int
799
virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr)
800
{
801 802 803 804 805
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

    if (!data)
        return 0;

806
#if HAVE_SELINUX_LABEL_H
807 808
    if (data->label_handle)
        selabel_close(data->label_handle);
809 810
#endif

811 812
    virHashFree(data->mcs);

813
    VIR_FREE(data->domain_context);
814
    VIR_FREE(data->alt_domain_context);
815 816 817
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);

818 819 820 821
    return 0;
}


822 823
static const char *
virSecuritySELinuxSecurityGetModel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
824 825 826 827
{
    return SECURITY_SELINUX_NAME;
}

828 829
static const char *
virSecuritySELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
830 831 832 833 834
{
    /*
     * Where will the DOI come from?  SELinux configuration, or qemu
     * configuration? For the moment, we'll just set it to "0".
     */
835
    return SECURITY_SELINUX_VOID_DOI;
836 837 838
}

static int
839 840 841 842
virSecuritySELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                          virDomainDefPtr def ATTRIBUTE_UNUSED,
                                          pid_t pid,
                                          virSecurityLabelPtr sec)
843 844 845
{
    security_context_t ctx;

M
Martin Kletzander 已提交
846
    if (getpidcon_raw(pid, &ctx) == -1) {
847
        virReportSystemError(errno,
848
                             _("unable to get PID %d security context"),
849
                             pid);
850 851 852 853
        return -1;
    }

    if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
854 855 856 857
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label exceeds "
                         "maximum length: %d"),
                       VIR_SECURITY_LABEL_BUFLEN - 1);
858
        freecon(ctx);
859 860 861 862
        return -1;
    }

    strcpy(sec->label, (char *) ctx);
863
    freecon(ctx);
864

865
    VIR_DEBUG("label=%s", sec->label);
866 867
    sec->enforcing = security_getenforce();
    if (sec->enforcing == -1) {
868
        virReportSystemError(errno, "%s",
869
                             _("error calling security_getenforce()"));
870 871 872 873 874 875
        return -1;
    }

    return 0;
}

876 877 878
/* Attempt to change the label of PATH to TCON.  If OPTIONAL is true,
 * return 1 if labelling was not possible.  Otherwise, require a label
 * change, and return 0 for success, -1 for failure.  */
879
static int
880
virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
881
{
882
    security_context_t econ;
883

884 885
    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);

M
Martin Kletzander 已提交
886
    if (setfilecon_raw(path, tcon) < 0) {
887 888
        int setfilecon_errno = errno;

M
Martin Kletzander 已提交
889
        if (getfilecon_raw(path, &econ) >= 0) {
890 891 892
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
893
                return optional ? 1 : 0;
894 895 896
            }
            freecon(econ);
        }
897

898 899 900 901 902
        /* If the error complaint is related to an image hosted on a (possibly
         * read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.  The user
         * hopefully sets one of the necessary SELinux virt_use_{nfs,usb,pci}
         * boolean tunables to allow it ...
903
         */
904 905
        if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&
            setfilecon_errno != EROFS) {
906
            virReportSystemError(setfilecon_errno,
907
                                 _("unable to set security context '%s' on '%s'"),
908
                                 tcon, path);
909 910
            if (security_getenforce() == 1)
                return -1;
911
        } else {
912
            const char *msg;
913
            if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 &&
914 915 916
                security_get_boolean_active("virt_use_nfs") != 1) {
                msg = _("Setting security context '%s' on '%s' not supported. "
                        "Consider setting virt_use_nfs");
917 918 919 920
                if (security_getenforce() == 1)
                    VIR_WARN(msg, tcon, path);
                else
                    VIR_INFO(msg, tcon, path);
921 922 923 924
            } else {
                VIR_INFO("Setting security context '%s' on '%s' not supported",
                         tcon, path);
            }
925 926
            if (optional)
                return 1;
927
        }
928 929 930 931
    }
    return 0;
}

932
static int
933
virSecuritySELinuxSetFileconOptional(const char *path, char *tcon)
934
{
935
    return virSecuritySELinuxSetFileconHelper(path, tcon, true);
936 937 938
}

static int
939
virSecuritySELinuxSetFilecon(const char *path, char *tcon)
940
{
941
    return virSecuritySELinuxSetFileconHelper(path, tcon, false);
942 943
}

944
static int
945
virSecuritySELinuxFSetFilecon(int fd, char *tcon)
946 947 948 949 950
{
    security_context_t econ;

    VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);

M
Martin Kletzander 已提交
951
    if (fsetfilecon_raw(fd, tcon) < 0) {
952 953
        int fsetfilecon_errno = errno;

M
Martin Kletzander 已提交
954
        if (fgetfilecon_raw(fd, &econ) >= 0) {
955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
                return 0;
            }
            freecon(econ);
        }

        /* if the error complaint is related to an image hosted on
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
         * The user hopefully set one of the necessary SELinux
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
         */
        if (fsetfilecon_errno != EOPNOTSUPP) {
            virReportSystemError(fsetfilecon_errno,
                                 _("unable to set security context '%s' on fd %d"),
                                 tcon, fd);
            if (security_getenforce() == 1)
                return -1;
        } else {
            VIR_INFO("Setting security context '%s' on fd %d not supported",
                     tcon, fd);
        }
    }
    return 0;
}

E
Eric Blake 已提交
983 984
/* Set fcon to the appropriate label for path and mode, or return -1.  */
static int
985
getContext(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
986
           const char *newpath, mode_t mode, security_context_t *fcon)
E
Eric Blake 已提交
987 988
{
#if HAVE_SELINUX_LABEL_H
989
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
E
Eric Blake 已提交
990

991
    return selabel_lookup_raw(data->label_handle, fcon, newpath, mode);
E
Eric Blake 已提交
992 993 994 995 996
#else
    return matchpathcon(newpath, mode, fcon);
#endif
}

997 998 999

/* This method shouldn't raise errors, since they'll overwrite
 * errors that the caller(s) are already dealing with */
1000
static int
1001 1002
virSecuritySELinuxRestoreSecurityFileLabel(virSecurityManagerPtr mgr,
                                           const char *path)
1003
{
1004 1005 1006 1007
    struct stat buf;
    security_context_t fcon = NULL;
    int rc = -1;
    char *newpath = NULL;
1008
    char ebuf[1024];
1009

1010 1011
    VIR_INFO("Restoring SELinux context on '%s'", path);

1012
    if (virFileResolveLink(path, &newpath) < 0) {
1013 1014
        VIR_WARN("cannot resolve symlink %s: %s", path,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
1015
        goto err;
1016
    }
1017

1018
    if (stat(newpath, &buf) != 0) {
1019 1020
        VIR_WARN("cannot stat %s: %s", newpath,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
1021
        goto err;
1022
    }
D
Daniel P. Berrange 已提交
1023

1024
    if (getContext(mgr, newpath, buf.st_mode, &fcon) < 0) {
1025 1026 1027
        /* Any user created path likely does not have a default label,
         * which makes this an expected non error
         */
1028
        VIR_WARN("cannot lookup default selinux label for %s", newpath);
1029
        rc = 0;
1030
    } else {
1031
        rc = virSecuritySELinuxSetFilecon(newpath, fcon);
1032
    }
1033

1034
 err:
1035
    freecon(fcon);
1036 1037
    VIR_FREE(newpath);
    return rc;
1038 1039
}

1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052

static int
virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
                                          virDomainDefPtr def,
                                          virDomainTPMDefPtr tpm)
{
    int rc;
    virSecurityLabelDefPtr seclabel;
    char *cancel_path;
    const char *tpmdev;

    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
1053
        return 0;
1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094

    switch (tpm->type) {
    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
        tpmdev = tpm->data.passthrough.source.data.file.path;
        rc = virSecuritySELinuxSetFilecon(tpmdev, seclabel->imagelabel);
        if (rc < 0)
            return -1;

        if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
            rc = virSecuritySELinuxSetFilecon(cancel_path,
                                              seclabel->imagelabel);
            VIR_FREE(cancel_path);
            if (rc < 0) {
                virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
                                                                 tpm);
                return -1;
            }
        } else {
            return -1;
        }
        break;
    case VIR_DOMAIN_TPM_TYPE_LAST:
        break;
    }

    return 0;
}


static int
virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
                                                 virDomainDefPtr def,
                                                 virDomainTPMDefPtr tpm)
{
    int rc = 0;
    virSecurityLabelDefPtr seclabel;
    char *cancel_path;
    const char *tpmdev;

    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
1095
        return 0;
1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116

    switch (tpm->type) {
    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
        tpmdev = tpm->data.passthrough.source.data.file.path;
        rc = virSecuritySELinuxRestoreSecurityFileLabel(mgr, tpmdev);

        if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
            if (virSecuritySELinuxRestoreSecurityFileLabel(mgr,
                                  cancel_path) < 0)
                rc = -1;
            VIR_FREE(cancel_path);
        }
        break;
    case VIR_DOMAIN_TPM_TYPE_LAST:
        break;
    }

    return rc;
}


1117
static int
1118
virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
1119
                                               virDomainDefPtr def,
1120
                                               virStorageSourcePtr src,
1121
                                               bool migrated)
1122
{
1123 1124
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr disk_seclabel;
1125 1126 1127

    if (!src->path || !virStorageSourceIsLocalStorage(src))
        return 0;
1128 1129 1130

    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
1131
        return 0;
1132

1133
    disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
1134
                                                        SECURITY_SELINUX_NAME);
1135
    if (!seclabel->relabel || (disk_seclabel && !disk_seclabel->relabel))
1136 1137
        return 0;

1138 1139 1140
    /* If labelskip is true and there are no backing files, then we
     * know it is safe to skip the restore.  FIXME - backing files should
     * be tracked in domain XML, at which point labelskip should be a
1141
     * per-file attribute instead of a disk attribute. */
1142
    if (disk_seclabel && disk_seclabel->labelskip &&
1143
        !src->backingStore)
1144 1145
        return 0;

1146 1147 1148 1149 1150 1151
    /* Don't restore labels on readoly/shared disks, because other VMs may
     * still be accessing these. Alternatively we could iterate over all
     * running domains and try to figure out if it is in use, but this would
     * not work for clustered filesystems, since we can't see running VMs using
     * the file on other nodes. Safest bet is thus to skip the restore step. */
    if (src->readonly || src->shared)
1152 1153 1154
        return 0;


1155 1156 1157
    /* If we have a shared FS and are doing migration, we must not change
     * ownership, because that kills access on the destination host which is
     * sub-optimal for the guest VM's I/O attempts :-) */
1158
    if (migrated) {
1159
        int rc = virFileIsSharedFS(src->path);
1160 1161 1162 1163
        if (rc < 0)
            return -1;
        if (rc == 1) {
            VIR_DEBUG("Skipping image label restore on %s because FS is shared",
1164
                      src->path);
1165 1166 1167 1168
            return 0;
        }
    }

1169
    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, src->path);
1170 1171
}

1172 1173

static int
1174 1175 1176
virSecuritySELinuxRestoreSecurityDiskLabel(virSecurityManagerPtr mgr,
                                           virDomainDefPtr def,
                                           virDomainDiskDefPtr disk)
1177
{
1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188
    return virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, disk->src,
                                                          false);
}


static int
virSecuritySELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
                                            virDomainDefPtr def,
                                            virStorageSourcePtr src)
{
    return virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, src, false);
1189 1190 1191
}


1192
static int
1193 1194 1195 1196
virSecuritySELinuxSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
                                                virDomainDefPtr def,
                                                virStorageSourcePtr src,
                                                bool first)
1197
{
1198 1199
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    virSecurityLabelDefPtr secdef;
1200
    virSecurityDeviceLabelDefPtr disk_seclabel;
1201
    int ret;
1202

1203 1204 1205 1206
    if (!src->path || !virStorageSourceIsLocalStorage(src))
        return 0;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1207
    if (!secdef || !secdef->relabel)
1208 1209 1210
        return 0;

    disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
1211 1212
                                                        SECURITY_SELINUX_NAME);

1213
    if (disk_seclabel && !disk_seclabel->relabel)
1214 1215
        return 0;

1216
    if (disk_seclabel && disk_seclabel->relabel && disk_seclabel->label) {
1217 1218 1219 1220 1221 1222 1223 1224
        ret = virSecuritySELinuxSetFilecon(src->path, disk_seclabel->label);
    } else if (first) {
        if (src->shared) {
            ret = virSecuritySELinuxSetFileconOptional(src->path,
                                                       data->file_context);
        } else if (src->readonly) {
            ret = virSecuritySELinuxSetFileconOptional(src->path,
                                                       data->content_context);
1225
        } else if (secdef->imagelabel) {
1226 1227
            ret = virSecuritySELinuxSetFileconOptional(src->path,
                                                       secdef->imagelabel);
1228
        } else {
1229
            ret = 0;
1230 1231
        }
    } else {
1232 1233
        ret = virSecuritySELinuxSetFileconOptional(src->path,
                                                   data->content_context);
1234
    }
1235

1236
    if (ret == 1 && !disk_seclabel) {
1237 1238
        /* If we failed to set a label, but virt_use_nfs let us
         * proceed anyway, then we don't need to relabel later.  */
1239
        disk_seclabel = virSecurityDeviceLabelDefNew(SECURITY_SELINUX_NAME);
1240
        if (!disk_seclabel)
1241
            return -1;
1242
        disk_seclabel->labelskip = true;
1243
        if (VIR_APPEND_ELEMENT(src->seclabels, src->nseclabels,
1244
                               disk_seclabel) < 0) {
1245 1246 1247
            virSecurityDeviceLabelDefFree(disk_seclabel);
            return -1;
        }
1248
        ret = 0;
1249
    }
1250

1251
    return ret;
1252 1253
}

1254 1255 1256 1257 1258 1259 1260 1261 1262 1263

static int
virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
                                        virDomainDefPtr def,
                                        virStorageSourcePtr src)
{
    return virSecuritySELinuxSetSecurityImageLabelInternal(mgr, def, src, true);
}


1264
static int
1265 1266 1267
virSecuritySELinuxSetSecurityDiskLabel(virSecurityManagerPtr mgr,
                                       virDomainDefPtr def,
                                       virDomainDiskDefPtr disk)
1268 1269

{
1270 1271
    bool first = true;
    virStorageSourcePtr next;
1272

1273 1274 1275 1276
    for (next = disk->src; next; next = next->backingStore) {
        if (virSecuritySELinuxSetSecurityImageLabelInternal(mgr, def, next,
                                                            first) < 0)
            return -1;
1277

1278 1279 1280 1281
        first = false;
    }

    return 0;
1282 1283
}

1284

1285
static int
1286
virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
1287
{
1288
    virSecurityLabelDefPtr secdef;
1289
    virDomainDefPtr def = opaque;
1290

1291 1292
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
1293
        return 0;
1294
    return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
1295 1296 1297
}

static int
1298
virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
1299
                                      const char *file, void *opaque)
1300
{
1301 1302
    return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
}
1303

1304 1305 1306 1307 1308
static int
virSecuritySELinuxSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
                                      const char *file, void *opaque)
{
    return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
1309 1310
}

1311 1312 1313 1314 1315 1316
static int
virSecuritySELinuxSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
                                       const char *file, void *opaque)
{
    return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
}
1317

1318
static int
1319 1320 1321
virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
                                                virDomainHostdevDefPtr dev,
                                                const char *vroot)
1322 1323

{
1324
    virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
1325
    virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
1326
    virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
1327 1328
    int ret = -1;

1329 1330 1331
    /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked
     * disk, do nothing for an iSCSI hostdev
     */
1332 1333
    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
1334 1335
        return 0;

1336 1337
    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
1338
        virUSBDevicePtr usb;
1339

1340 1341 1342
        if (dev->missing)
            return 0;

1343 1344
        usb = virUSBDeviceNew(usbsrc->bus,
                              usbsrc->device,
1345
                              vroot);
1346 1347
        if (!usb)
            goto done;
1348

1349 1350
        ret = virUSBDeviceFileIterate(usb, virSecuritySELinuxSetSecurityUSBLabel, def);
        virUSBDeviceFree(usb);
M
Mark McLoughlin 已提交
1351
        break;
1352 1353 1354
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
1355
        virPCIDevicePtr pci =
1356 1357
            virPCIDeviceNew(pcisrc->addr.domain, pcisrc->addr.bus,
                            pcisrc->addr.slot, pcisrc->addr.function);
1358 1359 1360 1361

        if (!pci)
            goto done;

1362
        if (pcisrc->backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO) {
1363
            char *vfioGroupDev = virPCIDeviceGetIOMMUGroupDev(pci);
1364

1365 1366
            if (!vfioGroupDev) {
                virPCIDeviceFree(pci);
1367
                goto done;
1368
            }
1369 1370 1371 1372 1373
            ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def);
            VIR_FREE(vfioGroupDev);
        } else {
            ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
        }
1374
        virPCIDeviceFree(pci);
1375 1376 1377
        break;
    }

1378
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
1379
        virDomainHostdevSubsysSCSIHostPtr scsihostsrc = &scsisrc->u.host;
1380
        virSCSIDevicePtr scsi =
1381
            virSCSIDeviceNew(NULL,
1382 1383
                             scsihostsrc->adapter, scsihostsrc->bus,
                             scsihostsrc->target, scsihostsrc->unit,
1384
                             dev->readonly, dev->shareable);
1385 1386 1387 1388 1389 1390 1391 1392 1393 1394

        if (!scsi)
            goto done;

        ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxSetSecuritySCSILabel, def);
        virSCSIDeviceFree(scsi);

        break;
    }

1395 1396 1397 1398 1399
    default:
        ret = 0;
        break;
    }

1400
 done:
1401 1402 1403
    return ret;
}

1404

1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415
static int
virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
                                              virDomainHostdevDefPtr dev,
                                              const char *vroot)
{
    int ret = -1;
    virSecurityLabelDefPtr secdef;
    char *path;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
1416
        return 0;
1417 1418 1419 1420 1421

    switch (dev->source.caps.type) {
    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
1422
                            dev->source.caps.u.storage.block) < 0)
1423 1424
                return -1;
        } else {
1425
            if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
1426 1427 1428 1429 1430 1431 1432 1433 1434 1435
                return -1;
        }
        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
        VIR_FREE(path);
        break;
    }

    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
1436
                            dev->source.caps.u.misc.chardev) < 0)
1437 1438
                return -1;
        } else {
1439
            if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455
                return -1;
        }
        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
        VIR_FREE(path);
        break;
    }

    default:
        ret = 0;
        break;
    }

    return ret;
}


1456 1457 1458 1459 1460 1461 1462 1463 1464 1465
static int
virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                          virDomainDefPtr def,
                                          virDomainHostdevDefPtr dev,
                                          const char *vroot)

{
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1466
    if (!secdef || !secdef->relabel)
1467 1468 1469 1470 1471 1472
        return 0;

    switch (dev->mode) {
    case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
        return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);

1473 1474 1475
    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
        return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);

1476 1477 1478 1479 1480
    default:
        return 0;
    }
}

1481
static int
1482
virSecuritySELinuxRestoreSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
1483
                                          const char *file,
1484
                                          void *opaque)
1485
{
1486 1487 1488
    virSecurityManagerPtr mgr = opaque;

    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
1489 1490 1491
}

static int
1492
virSecuritySELinuxRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
1493
                                          const char *file,
1494
                                          void *opaque)
1495
{
1496 1497 1498
    virSecurityManagerPtr mgr = opaque;

    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
1499 1500
}

1501

1502 1503 1504 1505 1506 1507 1508 1509 1510 1511
static int
virSecuritySELinuxRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
                                           const char *file,
                                           void *opaque)
{
    virSecurityManagerPtr mgr = opaque;

    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
}

1512
static int
1513 1514
virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
                                                    virDomainHostdevDefPtr dev,
1515
                                                    const char *vroot)
1516 1517

{
1518
    virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
1519
    virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
1520
    virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
1521 1522
    int ret = -1;

1523 1524 1525
    /* Like virSecuritySELinuxRestoreSecurityImageLabelInt() for a networked
     * disk, do nothing for an iSCSI hostdev
     */
1526 1527
    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
1528 1529
        return 0;

1530 1531
    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
1532
        virUSBDevicePtr usb;
1533 1534 1535

        if (dev->missing)
            return 0;
1536

1537 1538
        usb = virUSBDeviceNew(usbsrc->bus,
                              usbsrc->device,
1539
                              vroot);
1540 1541 1542
        if (!usb)
            goto done;

1543 1544
        ret = virUSBDeviceFileIterate(usb, virSecuritySELinuxRestoreSecurityUSBLabel, mgr);
        virUSBDeviceFree(usb);
1545 1546 1547 1548 1549

        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
1550
        virPCIDevicePtr pci =
1551 1552
            virPCIDeviceNew(pcisrc->addr.domain, pcisrc->addr.bus,
                            pcisrc->addr.slot, pcisrc->addr.function);
1553 1554 1555 1556

        if (!pci)
            goto done;

1557
        if (pcisrc->backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO) {
1558
            char *vfioGroupDev = virPCIDeviceGetIOMMUGroupDev(pci);
1559

1560 1561
            if (!vfioGroupDev) {
                virPCIDeviceFree(pci);
1562
                goto done;
1563
            }
1564 1565 1566 1567 1568
            ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
            VIR_FREE(vfioGroupDev);
        } else {
            ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
        }
1569
        virPCIDeviceFree(pci);
1570 1571 1572
        break;
    }

1573
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
1574
        virDomainHostdevSubsysSCSIHostPtr scsihostsrc = &scsisrc->u.host;
1575
        virSCSIDevicePtr scsi =
1576
            virSCSIDeviceNew(NULL,
1577 1578
                             scsihostsrc->adapter, scsihostsrc->bus,
                             scsihostsrc->target, scsihostsrc->unit,
1579
                             dev->readonly, dev->shareable);
1580 1581 1582 1583 1584 1585 1586 1587 1588 1589

            if (!scsi)
                goto done;

            ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxRestoreSecuritySCSILabel, mgr);
            virSCSIDeviceFree(scsi);

            break;
       }

1590 1591 1592 1593 1594
    default:
        ret = 0;
        break;
    }

1595
 done:
1596 1597 1598
    return ret;
}

1599

1600
static int
1601 1602
virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virSecurityManagerPtr mgr,
                                                  virDomainHostdevDefPtr dev,
1603 1604 1605 1606 1607 1608 1609 1610 1611
                                                  const char *vroot)
{
    int ret = -1;
    char *path;

    switch (dev->source.caps.type) {
    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
1612
                            dev->source.caps.u.storage.block) < 0)
1613 1614
                return -1;
        } else {
1615
            if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
1616 1617
                return -1;
        }
1618
        ret = virSecuritySELinuxRestoreSecurityFileLabel(mgr, path);
1619 1620 1621 1622 1623 1624 1625
        VIR_FREE(path);
        break;
    }

    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
1626
                            dev->source.caps.u.misc.chardev) < 0)
1627 1628
                return -1;
        } else {
1629
            if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
1630 1631
                return -1;
        }
1632
        ret = virSecuritySELinuxRestoreSecurityFileLabel(mgr, path);
1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645
        VIR_FREE(path);
        break;
    }

    default:
        ret = 0;
        break;
    }

    return ret;
}


1646
static int
1647
virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
1648 1649 1650 1651 1652 1653 1654 1655
                                              virDomainDefPtr def,
                                              virDomainHostdevDefPtr dev,
                                              const char *vroot)

{
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1656
    if (!secdef || !secdef->relabel)
1657 1658 1659 1660
        return 0;

    switch (dev->mode) {
    case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
1661
        return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(mgr, dev, vroot);
1662

1663
    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
1664
        return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(mgr, dev, vroot);
1665

1666 1667 1668 1669 1670 1671
    default:
        return 0;
    }
}


1672
static int
1673
virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
1674 1675
                                          virDomainChrDefPtr dev,
                                          virDomainChrSourceDefPtr dev_source)
1676 1677

{
1678 1679 1680
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
    char *imagelabel = NULL;
1681 1682 1683
    char *in = NULL, *out = NULL;
    int ret = -1;

1684
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1685
    if (!seclabel || !seclabel->relabel)
1686
        return 0;
1687

1688 1689 1690 1691
    if (dev)
        chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                          SECURITY_SELINUX_NAME);

1692
    if (chr_seclabel && !chr_seclabel->relabel)
1693 1694
        return 0;

1695 1696 1697 1698 1699 1700
    if (chr_seclabel)
        imagelabel = chr_seclabel->label;
    if (!imagelabel)
        imagelabel = seclabel->imagelabel;

    switch (dev_source->type) {
1701 1702
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713
        ret = virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                           imagelabel);
        break;

    case VIR_DOMAIN_CHR_TYPE_UNIX:
        if (!dev_source->data.nix.listen) {
            if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                             imagelabel) < 0)
                goto done;
        }
        ret = 0;
1714 1715 1716
        break;

    case VIR_DOMAIN_CHR_TYPE_PIPE:
1717
        if ((virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0) ||
1718
            (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0))
1719 1720
            goto done;
        if (virFileExists(in) && virFileExists(out)) {
1721 1722
            if ((virSecuritySELinuxSetFilecon(in, imagelabel) < 0) ||
                (virSecuritySELinuxSetFilecon(out, imagelabel) < 0)) {
1723
                goto done;
1724
            }
1725 1726
        } else if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                                imagelabel) < 0) {
1727
            goto done;
1728 1729 1730 1731 1732 1733 1734 1735 1736
        }
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

1737
 done:
1738 1739 1740 1741 1742 1743
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}

static int
1744 1745
virSecuritySELinuxRestoreSecurityChardevLabel(virSecurityManagerPtr mgr,
                                              virDomainDefPtr def,
1746 1747
                                              virDomainChrDefPtr dev,
                                              virDomainChrSourceDefPtr dev_source)
1748 1749

{
1750 1751
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
1752 1753 1754
    char *in = NULL, *out = NULL;
    int ret = -1;

1755
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1756
    if (!seclabel || !seclabel->relabel)
1757
        return 0;
1758

1759 1760 1761
    if (dev)
        chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                          SECURITY_SELINUX_NAME);
1762
    if (chr_seclabel && !chr_seclabel->relabel)
1763 1764
        return 0;

1765
    switch (dev_source->type) {
1766 1767
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
1768
        if (virSecuritySELinuxRestoreSecurityFileLabel(mgr, dev_source->data.file.path) < 0)
1769 1770
            goto done;
        ret = 0;
1771
        break;
1772 1773 1774

    case VIR_DOMAIN_CHR_TYPE_UNIX:
        if (!dev_source->data.nix.listen) {
1775
            if (virSecuritySELinuxRestoreSecurityFileLabel(mgr, dev_source->data.file.path) < 0)
1776 1777 1778 1779 1780
                goto done;
        }
        ret = 0;
        break;

1781
    case VIR_DOMAIN_CHR_TYPE_PIPE:
1782
        if ((virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0) ||
1783
            (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0))
1784
            goto done;
1785
        if (virFileExists(in) && virFileExists(out)) {
1786 1787
            if ((virSecuritySELinuxRestoreSecurityFileLabel(mgr, out) < 0) ||
                (virSecuritySELinuxRestoreSecurityFileLabel(mgr, in) < 0)) {
1788 1789
                goto done;
            }
1790
        } else if (virSecuritySELinuxRestoreSecurityFileLabel(mgr, dev_source->data.file.path) < 0) {
1791
            goto done;
1792
        }
1793 1794 1795 1796 1797 1798 1799 1800
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

1801
 done:
1802 1803 1804 1805 1806 1807 1808
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}


static int
1809 1810
virSecuritySELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
                                                 virDomainChrDefPtr dev,
1811
                                                 void *opaque)
1812
{
1813 1814
    virSecurityManagerPtr mgr = opaque;

1815 1816 1817 1818 1819
    /* This is taken care of by processing of def->serials */
    if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
        dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
        return 0;

1820
    return virSecuritySELinuxRestoreSecurityChardevLabel(mgr, def, dev,
1821
                                                         &dev->source);
1822 1823 1824
}


E
Eric Blake 已提交
1825
static int
1826 1827
virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
                                                   virDomainSmartcardDefPtr dev,
1828
                                                   void *opaque)
E
Eric Blake 已提交
1829
{
1830
    virSecurityManagerPtr mgr = opaque;
E
Eric Blake 已提交
1831 1832 1833 1834 1835 1836 1837 1838 1839 1840
    const char *database;

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
1841
        return virSecuritySELinuxRestoreSecurityFileLabel(mgr, database);
E
Eric Blake 已提交
1842 1843

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
1844
        return virSecuritySELinuxRestoreSecurityChardevLabel(mgr, def, NULL, &dev->data.passthru);
E
Eric Blake 已提交
1845 1846

    default:
1847 1848 1849
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unknown smartcard type %d"),
                       dev->type);
E
Eric Blake 已提交
1850 1851 1852 1853 1854 1855 1856
        return -1;
    }

    return 0;
}


1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867
static const char *
virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
{
    virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    if (virtType == VIR_DOMAIN_VIRT_QEMU && priv->alt_domain_context)
        return priv->alt_domain_context;
    else
        return priv->domain_context;
}


1868
static int
1869
virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
1870
                                          virDomainDefPtr def,
1871
                                          bool migrated)
1872
{
1873
    virSecurityLabelDefPtr secdef;
1874
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
1875
    size_t i;
1876
    int rc = 0;
1877

1878
    VIR_DEBUG("Restoring security label on %s", def->name);
1879

1880 1881
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);

1882
    if (!secdef || !secdef->relabel || data->skipAllLabel)
1883 1884
        return 0;

1885 1886 1887 1888 1889 1890
    if (def->tpm) {
        if (virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
                                                             def->tpm) < 0)
            rc = -1;
    }

1891
    for (i = 0; i < def->nhostdevs; i++) {
1892 1893
        if (virSecuritySELinuxRestoreSecurityHostdevLabel(mgr,
                                                          def,
1894 1895
                                                          def->hostdevs[i],
                                                          NULL) < 0)
1896
            rc = -1;
1897
    }
1898
    for (i = 0; i < def->ndisks; i++) {
1899 1900 1901
        virDomainDiskDefPtr disk = def->disks[i];

        if (virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, disk->src,
1902
                                                           migrated) < 0)
1903 1904
            rc = -1;
    }
1905

1906
    if (virDomainChrDefForeach(def,
1907
                               false,
1908
                               virSecuritySELinuxRestoreSecurityChardevCallback,
1909
                               mgr) < 0)
1910 1911
        rc = -1;

1912
    if (virDomainSmartcardDefForeach(def,
E
Eric Blake 已提交
1913
                                     false,
1914
                                     virSecuritySELinuxRestoreSecuritySmartcardCallback,
1915
                                     mgr) < 0)
E
Eric Blake 已提交
1916 1917
        rc = -1;

1918 1919 1920 1921
    if (def->os.loader && def->os.loader->nvram &&
        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.loader->nvram) < 0)
        rc = -1;

1922
    if (def->os.kernel &&
1923
        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.kernel) < 0)
1924 1925
        rc = -1;

1926
    if (def->os.initrd &&
1927
        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.initrd) < 0)
1928 1929
        rc = -1;

O
Olivia Yin 已提交
1930 1931 1932 1933
    if (def->os.dtb &&
        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.dtb) < 0)
        rc = -1;

1934 1935 1936 1937
    return rc;
}

static int
1938
virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
1939
                                       virDomainDefPtr def)
1940
{
1941 1942 1943 1944
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
1945
        return 0;
1946

1947 1948 1949 1950
    if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
        if (secdef->label != NULL) {
            context_t con = context_new(secdef->label);
            if (con) {
1951
                virSecuritySELinuxMCSRemove(mgr, context_range_get(con));
1952 1953 1954 1955 1956 1957
                context_free(con);
            }
        }
        VIR_FREE(secdef->label);
        if (!secdef->baselabel)
            VIR_FREE(secdef->model);
1958 1959 1960
    }
    VIR_FREE(secdef->imagelabel);

1961
    return 0;
1962 1963
}

1964 1965

static int
1966 1967 1968
virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                     virDomainDefPtr def,
                                     const char *savefile)
1969
{
1970 1971 1972
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1973
    if (!secdef || !secdef->relabel)
1974 1975
        return 0;

1976
    return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
1977 1978 1979 1980
}


static int
1981
virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr,
1982 1983
                                         virDomainDefPtr def,
                                         const char *savefile)
1984
{
1985 1986 1987
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1988
    if (!secdef || !secdef->relabel)
1989 1990
        return 0;

1991
    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, savefile);
1992 1993 1994
}


1995
static int
1996 1997
virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                 virDomainDefPtr def)
1998
{
1999 2000 2001 2002
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
2003
        return 0;
2004

2005
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
2006 2007 2008 2009
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
2010
                       secdef->model, SECURITY_SELINUX_NAME);
2011 2012 2013
        return -1;
    }

2014 2015
    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
        if (security_check_context(secdef->label) != 0) {
2016 2017
            virReportError(VIR_ERR_XML_ERROR,
                           _("Invalid security label %s"), secdef->label);
2018 2019 2020 2021 2022 2023
            return -1;
        }
    }
    return 0;
}

2024
static int
2025
virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
2026
                                          virDomainDefPtr def)
2027 2028
{
    /* TODO: verify DOI */
2029 2030 2031
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
2032
    if (!secdef || !secdef->label)
2033 2034
        return 0;

2035
    VIR_DEBUG("label=%s", secdef->label);
2036
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
2037 2038 2039 2040
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
2041
                       secdef->model, SECURITY_SELINUX_NAME);
2042
        if (security_getenforce() == 1)
2043
            return -1;
2044 2045
    }

M
Martin Kletzander 已提交
2046
    if (setexeccon_raw(secdef->label) == -1) {
2047
        virReportSystemError(errno,
2048 2049
                             _("unable to set security context '%s'"),
                             secdef->label);
2050
        if (security_getenforce() == 1)
2051
            return -1;
2052 2053
    }

2054 2055 2056
    return 0;
}

2057 2058 2059 2060 2061 2062 2063 2064 2065
static int
virSecuritySELinuxSetSecurityChildProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                               virDomainDefPtr def,
                                               virCommandPtr cmd)
{
    /* TODO: verify DOI */
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
2066
    if (!secdef || !secdef->label)
2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084
        return 0;

    VIR_DEBUG("label=%s", secdef->label);
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
                       secdef->model, SECURITY_SELINUX_NAME);
        if (security_getenforce() == 1)
            return -1;
    }

    /* save in cmd to be set after fork/before child process is exec'ed */
    virCommandSetSELinuxLabel(cmd, secdef->label);
    return 0;
}

2085
static int
2086
virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
2087
                                               virDomainDefPtr def)
2088 2089
{
    /* TODO: verify DOI */
2090
    virSecurityLabelDefPtr secdef;
2091
    security_context_t scon = NULL;
2092
    char *str = NULL;
2093 2094
    int rc = -1;

2095
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
2096
    if (!secdef || !secdef->label)
2097 2098
        return 0;

2099
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
2100 2101 2102 2103
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
2104
                       secdef->model, SECURITY_SELINUX_NAME);
2105 2106 2107
        goto done;
    }

M
Martin Kletzander 已提交
2108
    if (getcon_raw(&scon) == -1) {
2109 2110 2111 2112 2113 2114
        virReportSystemError(errno,
                             _("unable to get current process context '%s'"),
                             secdef->label);
        goto done;
    }

2115
    if (!(str = virSecuritySELinuxContextAddRange(secdef->label, scon)))
2116 2117
        goto done;

2118 2119
    VIR_DEBUG("Setting VM %s socket context %s", def->name, str);
    if (setsockcreatecon_raw(str) == -1) {
2120
        virReportSystemError(errno,
2121
                             _("unable to set socket security context '%s'"), str);
2122 2123 2124 2125
        goto done;
    }

    rc = 0;
2126
 done:
2127 2128 2129 2130

    if (security_getenforce() != 1)
        rc = 0;
    freecon(scon);
2131
    VIR_FREE(str);
2132 2133 2134
    return rc;
}

2135
static int
2136
virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
2137
                                         virDomainDefPtr vm)
2138
{
2139
    virSecurityLabelDefPtr secdef;
2140 2141
    int rc = -1;

2142
    secdef = virDomainDefGetSecurityLabelDef(vm, SECURITY_SELINUX_NAME);
2143
    if (!secdef || !secdef->label)
2144 2145
        return 0;

2146
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
2147 2148 2149 2150
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
2151
                       secdef->model, SECURITY_SELINUX_NAME);
2152 2153 2154 2155
        goto done;
    }

    VIR_DEBUG("Setting VM %s socket context %s",
2156
              vm->name, secdef->label);
M
Martin Kletzander 已提交
2157
    if (setsockcreatecon_raw(secdef->label) == -1) {
2158 2159 2160 2161 2162 2163 2164 2165
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             secdef->label);
        goto done;
    }

    rc = 0;

2166
 done:
2167 2168 2169 2170 2171 2172
    if (security_getenforce() != 1)
        rc = 0;

    return rc;
}

2173
static int
2174
virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
2175
                                           virDomainDefPtr def)
2176 2177
{
    /* TODO: verify DOI */
2178 2179 2180
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
2181
    if (!secdef || !secdef->label)
2182 2183
        return 0;

2184
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
2185 2186 2187 2188
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
2189
                       secdef->model, SECURITY_SELINUX_NAME);
2190 2191 2192 2193
        if (security_getenforce() == 1)
            return -1;
    }

M
Martin Kletzander 已提交
2194
    if (setsockcreatecon_raw(NULL) == -1) {
2195 2196 2197 2198 2199 2200 2201 2202 2203
        virReportSystemError(errno,
                             _("unable to clear socket security context '%s'"),
                             secdef->label);
        if (security_getenforce() == 1)
            return -1;
    }
    return 0;
}

2204 2205

static int
2206 2207 2208
virSecuritySELinuxSetSecurityChardevCallback(virDomainDefPtr def,
                                             virDomainChrDefPtr dev,
                                             void *opaque ATTRIBUTE_UNUSED)
2209
{
2210 2211 2212 2213 2214
    /* This is taken care of by processing of def->serials */
    if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
        dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
        return 0;

2215
    return virSecuritySELinuxSetSecurityChardevLabel(def, dev, &dev->source);
2216 2217 2218
}


E
Eric Blake 已提交
2219
static int
2220 2221 2222
virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
                                               virDomainSmartcardDefPtr dev,
                                               void *opaque)
E
Eric Blake 已提交
2223 2224
{
    const char *database;
2225 2226
    virSecurityManagerPtr mgr = opaque;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
E
Eric Blake 已提交
2227 2228 2229 2230 2231 2232 2233 2234 2235

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
2236
        return virSecuritySELinuxSetFilecon(database, data->content_context);
E
Eric Blake 已提交
2237 2238

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
2239
        return virSecuritySELinuxSetSecurityChardevLabel(def, NULL, &dev->data.passthru);
E
Eric Blake 已提交
2240 2241

    default:
2242 2243 2244
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unknown smartcard type %d"),
                       dev->type);
E
Eric Blake 已提交
2245 2246 2247 2248 2249 2250 2251
        return -1;
    }

    return 0;
}


2252
static int
2253 2254 2255
virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                                      virDomainDefPtr def,
                                      const char *stdin_path)
2256
{
2257
    size_t i;
2258 2259 2260 2261
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
2262

2263
    if (!secdef || !secdef->relabel || data->skipAllLabel)
2264 2265
        return 0;

2266
    for (i = 0; i < def->ndisks; i++) {
2267
        /* XXX fixme - we need to recursively label the entire tree :-( */
E
Eric Blake 已提交
2268
        if (virDomainDiskGetType(def->disks[i]) == VIR_STORAGE_TYPE_DIR) {
2269
            VIR_WARN("Unable to relabel directory tree %s for disk %s",
2270 2271
                     virDomainDiskGetSource(def->disks[i]),
                     def->disks[i]->dst);
2272
            continue;
2273
        }
2274
        if (virSecuritySELinuxSetSecurityDiskLabel(mgr,
2275
                                         def, def->disks[i]) < 0)
2276 2277
            return -1;
    }
2278
    /* XXX fixme process  def->fss if relabel == true */
2279

2280
    for (i = 0; i < def->nhostdevs; i++) {
2281
        if (virSecuritySELinuxSetSecurityHostdevLabel(mgr,
2282 2283 2284
                                                      def,
                                                      def->hostdevs[i],
                                                      NULL) < 0)
2285
            return -1;
2286
    }
2287 2288 2289 2290 2291
    if (def->tpm) {
        if (virSecuritySELinuxSetSecurityTPMFileLabel(mgr, def,
                                                      def->tpm) < 0)
            return -1;
    }
2292

2293
    if (virDomainChrDefForeach(def,
2294
                               true,
2295
                               virSecuritySELinuxSetSecurityChardevCallback,
2296
                               NULL) < 0)
2297 2298
        return -1;

2299
    if (virDomainSmartcardDefForeach(def,
E
Eric Blake 已提交
2300
                                     true,
2301
                                     virSecuritySELinuxSetSecuritySmartcardCallback,
2302
                                     mgr) < 0)
E
Eric Blake 已提交
2303 2304
        return -1;

M
Michal Privoznik 已提交
2305 2306
    /* This is different than kernel or initrd. The nvram store
     * is really a disk, qemu can read and write to it. */
2307
    if (def->os.loader && def->os.loader->nvram &&
M
Michal Privoznik 已提交
2308 2309
        secdef && secdef->imagelabel &&
        virSecuritySELinuxSetFilecon(def->os.loader->nvram, secdef->imagelabel) < 0)
2310 2311
        return -1;

2312
    if (def->os.kernel &&
2313
        virSecuritySELinuxSetFilecon(def->os.kernel, data->content_context) < 0)
2314 2315
        return -1;

2316
    if (def->os.initrd &&
2317
        virSecuritySELinuxSetFilecon(def->os.initrd, data->content_context) < 0)
2318 2319
        return -1;

O
Olivia Yin 已提交
2320 2321 2322 2323
    if (def->os.dtb &&
        virSecuritySELinuxSetFilecon(def->os.dtb, data->content_context) < 0)
        return -1;

2324
    if (stdin_path) {
2325
        if (virSecuritySELinuxSetFilecon(stdin_path, data->content_context) < 0 &&
2326
            virFileIsSharedFSType(stdin_path, VIR_FILE_SHFS_NFS) != 1)
2327 2328
            return -1;
    }
2329

2330 2331 2332
    return 0;
}

2333
static int
2334 2335 2336
virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                  virDomainDefPtr def,
                                  int fd)
2337
{
2338 2339 2340
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
2341
    if (!secdef || !secdef->imagelabel)
2342 2343
        return 0;

2344
    return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
2345 2346
}

2347
static int
2348
virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
2349 2350 2351
                                virDomainDefPtr def,
                                int fd)
{
2352 2353
    struct stat buf;
    security_context_t fcon = NULL;
2354
    virSecurityLabelDefPtr secdef;
2355
    char *str = NULL, *proc = NULL, *fd_path = NULL;
2356
    int rc = -1;
2357 2358

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
2359
    if (!secdef || !secdef->label)
2360 2361
        return 0;

2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372
    if (fstat(fd, &buf) < 0) {
        virReportSystemError(errno, _("cannot stat tap fd %d"), fd);
        goto cleanup;
    }

    if ((buf.st_mode & S_IFMT) != S_IFCHR) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("tap fd %d is not character device"), fd);
        goto cleanup;
    }

2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390
    /* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
    if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)
        goto cleanup;

    if (virFileResolveLink(proc, &fd_path) < 0) {
        virReportSystemError(errno,
                             _("Unable to resolve link: %s"), proc);
        goto cleanup;
    }

    if (!STRPREFIX(fd_path, "/dev/tap")) {
        VIR_DEBUG("fd=%d points to %s not setting SELinux label",
                  fd, fd_path);
        rc = 0;
        goto cleanup;
    }

    if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("cannot lookup default selinux label for tap fd %d"), fd);
        goto cleanup;
    }

    if (!(str = virSecuritySELinuxContextAddRange(secdef->label, fcon))) {
        goto cleanup;
    } else {
        rc = virSecuritySELinuxFSetFilecon(fd, str);
    }

 cleanup:
    freecon(fcon);
2404 2405
    VIR_FREE(fd_path);
    VIR_FREE(proc);
2406 2407
    VIR_FREE(str);
    return rc;
2408 2409
}

2410 2411 2412 2413
static char *
virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
                                virDomainDefPtr def)
{
2414
    virSecurityLabelDefPtr secdef;
2415 2416 2417 2418
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    const char *range;
    context_t ctx = NULL;
    char *label = NULL;
2419
    char *mcs = NULL;
2420

2421 2422 2423 2424
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        goto cleanup;

2425 2426 2427
    if (secdef->label) {
        ctx = context_new(secdef->label);
        if (!ctx) {
2428 2429
            virReportSystemError(errno, _("unable to create selinux context for: %s"),
                                 secdef->label);
2430 2431 2432 2433
            goto cleanup;
        }
        range = context_range_get(ctx);
        if (range) {
2434
            if (VIR_STRDUP(mcs, range) < 0)
2435
                goto cleanup;
2436 2437
            if (!(label = virSecuritySELinuxGenNewContext(data->file_context,
                                                          mcs, true)))
2438 2439 2440 2441
                goto cleanup;
        }
    }

2442
 cleanup:
2443 2444 2445
    context_free(ctx);
    VIR_FREE(mcs);
    return label;
2446 2447
}

2448 2449 2450 2451
static char *
virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
                                          virDomainDefPtr def)
{
2452
    char *opts = NULL;
2453 2454
    virSecurityLabelDefPtr secdef;

2455 2456 2457 2458 2459 2460 2461
    if ((secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME))) {
        if (!secdef->imagelabel)
            secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr, def);

        if (secdef->imagelabel &&
            virAsprintf(&opts,
                        ",context=\"%s\"",
2462
                        (const char*) secdef->imagelabel) < 0)
2463 2464
            return NULL;
    }
2465

2466
    if (!opts && VIR_STRDUP(opts, "") < 0)
2467
        return NULL;
2468

2469 2470
    VIR_DEBUG("imageLabel=%s opts=%s",
              secdef ? secdef->imagelabel : "(null)", opts);
2471 2472 2473
    return opts;
}

2474
virSecurityDriver virSecurityDriverSELinux = {
2475 2476
    .privateDataLen                     = sizeof(virSecuritySELinuxData),
    .name                               = SECURITY_SELINUX_NAME,
2477 2478 2479
    .probe                              = virSecuritySELinuxSecurityDriverProbe,
    .open                               = virSecuritySELinuxSecurityDriverOpen,
    .close                              = virSecuritySELinuxSecurityDriverClose,
2480

2481 2482
    .getModel                           = virSecuritySELinuxSecurityGetModel,
    .getDOI                             = virSecuritySELinuxSecurityGetDOI,
2483

2484
    .domainSecurityVerify               = virSecuritySELinuxSecurityVerify,
2485

2486
    .domainSetSecurityDiskLabel         = virSecuritySELinuxSetSecurityDiskLabel,
2487
    .domainRestoreSecurityDiskLabel     = virSecuritySELinuxRestoreSecurityDiskLabel,
2488

2489
    .domainSetSecurityImageLabel        = virSecuritySELinuxSetSecurityImageLabel,
2490 2491
    .domainRestoreSecurityImageLabel    = virSecuritySELinuxRestoreSecurityImageLabel,

2492 2493 2494
    .domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetSecurityDaemonSocketLabel,
    .domainSetSecuritySocketLabel       = virSecuritySELinuxSetSecuritySocketLabel,
    .domainClearSecuritySocketLabel     = virSecuritySELinuxClearSecuritySocketLabel,
2495

2496 2497 2498
    .domainGenSecurityLabel             = virSecuritySELinuxGenSecurityLabel,
    .domainReserveSecurityLabel         = virSecuritySELinuxReserveSecurityLabel,
    .domainReleaseSecurityLabel         = virSecuritySELinuxReleaseSecurityLabel,
2499

2500 2501
    .domainGetSecurityProcessLabel      = virSecuritySELinuxGetSecurityProcessLabel,
    .domainSetSecurityProcessLabel      = virSecuritySELinuxSetSecurityProcessLabel,
2502
    .domainSetSecurityChildProcessLabel = virSecuritySELinuxSetSecurityChildProcessLabel,
2503

2504 2505
    .domainSetSecurityAllLabel          = virSecuritySELinuxSetSecurityAllLabel,
    .domainRestoreSecurityAllLabel      = virSecuritySELinuxRestoreSecurityAllLabel,
2506

2507 2508
    .domainSetSecurityHostdevLabel      = virSecuritySELinuxSetSecurityHostdevLabel,
    .domainRestoreSecurityHostdevLabel  = virSecuritySELinuxRestoreSecurityHostdevLabel,
2509

2510 2511
    .domainSetSavedStateLabel           = virSecuritySELinuxSetSavedStateLabel,
    .domainRestoreSavedStateLabel       = virSecuritySELinuxRestoreSavedStateLabel,
2512

2513
    .domainSetSecurityImageFDLabel      = virSecuritySELinuxSetImageFDLabel,
2514
    .domainSetSecurityTapFDLabel        = virSecuritySELinuxSetTapFDLabel,
2515

2516
    .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
2517
    .getBaseLabel                       = virSecuritySELinuxGetBaseLabel,
2518
};