security_selinux.c 69.7 KB
Newer Older
1
/*
2
 * Copyright (C) 2008-2013 Red Hat, Inc.
3 4 5 6 7 8
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
O
Osier Yang 已提交
9 10 11 12 13 14
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
15
 * License along with this library.  If not, see
O
Osier Yang 已提交
16 17
 * <http://www.gnu.org/licenses/>.
 *
18 19
 * Authors:
 *     James Morris <jmorris@namei.org>
20
 *     Dan Walsh <dwalsh@redhat.com>
21 22 23 24 25 26 27 28 29
 *
 * SELinux security driver.
 */
#include <config.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
E
Eric Blake 已提交
30 31 32
#if HAVE_SELINUX_LABEL_H
# include <selinux/label.h>
#endif
33

34
#include "security_driver.h"
35
#include "security_selinux.h"
36
#include "virerror.h"
37
#include "virutil.h"
38
#include "viralloc.h"
39
#include "virlog.h"
40
#include "virpci.h"
41
#include "virusb.h"
42
#include "virstoragefile.h"
E
Eric Blake 已提交
43
#include "virfile.h"
44
#include "virhash.h"
45
#include "virrandom.h"
46
#include "virutil.h"
47
#include "virconf.h"
D
Daniel P. Berrange 已提交
48 49 50

#define VIR_FROM_THIS VIR_FROM_SECURITY

51 52 53 54 55 56 57 58 59 60
#define MAX_CONTEXT 1024

typedef struct _virSecuritySELinuxData virSecuritySELinuxData;
typedef virSecuritySELinuxData *virSecuritySELinuxDataPtr;

typedef struct _virSecuritySELinuxCallbackData virSecuritySELinuxCallbackData;
typedef virSecuritySELinuxCallbackData *virSecuritySELinuxCallbackDataPtr;

struct _virSecuritySELinuxData {
    char *domain_context;
61
    char *alt_domain_context;
62 63
    char *file_context;
    char *content_context;
64
    virHashTablePtr mcs;
65
    bool skipAllLabel;
66 67 68
#if HAVE_SELINUX_LABEL_H
    struct selabel_handle *label_handle;
#endif
69 70 71 72 73 74 75
};

struct _virSecuritySELinuxCallbackData {
    virSecurityManagerPtr manager;
    virSecurityLabelDefPtr secdef;
};

76 77 78
#define SECURITY_SELINUX_VOID_DOI       "0"
#define SECURITY_SELINUX_NAME "selinux"

79 80 81
/*
 * Returns 0 on success, 1 if already reserved, or -1 on fatal error
 */
82
static int
83 84
virSecuritySELinuxMCSAdd(virSecurityManagerPtr mgr,
                         const char *mcs)
85
{
86
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
87

88 89 90 91
    if (virHashLookup(data->mcs, mcs))
        return 1;

    if (virHashAddEntry(data->mcs, mcs, (void*)0x1) < 0)
92
        return -1;
93

94 95 96
    return 0;
}

97 98 99
static void
virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
                            const char *mcs)
100
{
101 102 103
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

    virHashRemoveEntry(data->mcs, mcs);
104 105
}

106 107

static char *
108 109 110 111
virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
                          const char *sens,
                          int catMin,
                          int catMax)
112 113
{
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
114
    int catRange;
115
    char *mcs = NULL;
116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166

    /* +1 since virRandomInt range is exclusive of the upper bound */
    catRange = (catMax - catMin) + 1;

    if (catRange < 8) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Category range c%d-c%d too small"),
                       catMin, catMax);
        return NULL;
    }

    VIR_DEBUG("Using sensitivity level '%s' cat min %d max %d range %d",
              sens, catMin, catMax, catRange);

    for (;;) {
        int c1 = virRandomInt(catRange);
        int c2 = virRandomInt(catRange);

        VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);

        if (c1 == c2) {
            if (virAsprintf(&mcs, "%s:c%d", sens, catMin + c1) < 0) {
                virReportOOMError();
                return NULL;
            }
        } else {
            if (c1 > c2) {
                int t = c1;
                c1 = c2;
                c2 = t;
            }
            if (virAsprintf(&mcs, "%s:c%d,c%d", sens, catMin + c1, catMin + c2) < 0) {
                virReportOOMError();
                return NULL;
            }
        }

        if (virHashLookup(data->mcs, mcs) == NULL)
            break;

        VIR_FREE(mcs);
    }

    return mcs;
}

static int
virSecuritySELinuxMCSGetProcessRange(char **sens,
                                     int *catMin,
                                     int *catMax)
{
167 168
    security_context_t ourSecContext = NULL;
    context_t ourContext = NULL;
169 170
    char *cat, *tmp;
    int ret = -1;
171

M
Martin Kletzander 已提交
172
    if (getcon_raw(&ourSecContext) < 0) {
173 174 175 176 177 178 179 180 181 182 183
        virReportSystemError(errno, "%s",
                             _("Unable to get current process SELinux context"));
        goto cleanup;
    }
    if (!(ourContext = context_new(ourSecContext))) {
        virReportSystemError(errno,
                             _("Unable to parse current SELinux context '%s'"),
                             ourSecContext);
        goto cleanup;
    }

184
    if (!(*sens = strdup(context_range_get(ourContext)))) {
185 186 187 188 189
        virReportOOMError();
        goto cleanup;
    }

    /* Find and blank out the category part */
190
    if (!(tmp = strchr(*sens, ':'))) {
191 192
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse sensitivity level in %s"),
193
                       *sens);
194 195 196 197 198
        goto cleanup;
    }
    *tmp = '\0';
    cat = tmp + 1;
    /* Find and blank out the sensitivity upper bound */
199
    if ((tmp = strchr(*sens, '-')))
200 201 202 203 204 205 206 207 208 209 210 211
        *tmp = '\0';
    /* sens now just contains the sensitivity lower bound */

    /* Find & extract category min */
    tmp = cat;
    if (tmp[0] != 'c') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
212
    if (virStrToLong_i(tmp, &tmp, 10, catMin) < 0) {
213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }

    /* We *must* have a pair of categories otherwise
     * there's no range to allocate VM categories from */
    if (!tmp[0]) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("No category range available"));
        goto cleanup;
    }

    /* Find & extract category max (if any) */
    if (tmp[0] != '.') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
    if (tmp[0] != 'c') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
242
    if (virStrToLong_i(tmp, &tmp, 10, catMax) < 0) {
243 244 245 246 247 248
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }

249
    ret = 0;
250 251

cleanup:
252 253
    if (ret < 0)
        VIR_FREE(*sens);
254 255
    freecon(ourSecContext);
    context_free(ourContext);
256
    return ret;
257 258
}

259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298
static char *
virSecuritySELinuxContextAddRange(security_context_t src,
                                  security_context_t dst)
{
    char *str = NULL;
    char *ret = NULL;
    context_t srccon = NULL;
    context_t dstcon = NULL;

    if (!src || !dst)
        return ret;

    if (!(srccon = context_new(src)) || !(dstcon = context_new(dst))) {
        virReportSystemError(errno, "%s",
                             _("unable to allocate security context"));
        goto cleanup;
    }

    if (context_range_set(dstcon, context_range_get(srccon)) == -1) {
        virReportSystemError(errno,
                             _("unable to set security context range '%s'"), dst);
        goto cleanup;
    }

    if (!(str = context_str(dstcon))) {
        virReportSystemError(errno, "%s",
                             _("Unable to format SELinux context"));
        goto cleanup;
    }

    if (!(ret = strdup(str))) {
        virReportOOMError();
        goto cleanup;
    }

cleanup:
    if (srccon) context_free(srccon);
    if (dstcon) context_free(dstcon);
    return ret;
}
299

300
static char *
301 302 303
virSecuritySELinuxGenNewContext(const char *basecontext,
                                const char *mcs,
                                bool isObjectContext)
304
{
305
    context_t context = NULL;
306 307
    char *ret = NULL;
    char *str;
308 309 310
    security_context_t ourSecContext = NULL;
    context_t ourContext = NULL;

311 312 313
    VIR_DEBUG("basecontext=%s mcs=%s isObjectContext=%d",
              basecontext, mcs, isObjectContext);

M
Martin Kletzander 已提交
314
    if (getcon_raw(&ourSecContext) < 0) {
315 316 317 318 319 320 321 322 323 324
        virReportSystemError(errno, "%s",
                             _("Unable to get current process SELinux context"));
        goto cleanup;
    }
    if (!(ourContext = context_new(ourSecContext))) {
        virReportSystemError(errno,
                             _("Unable to parse current SELinux context '%s'"),
                             ourSecContext);
        goto cleanup;
    }
325
    VIR_DEBUG("process=%s", ourSecContext);
326 327 328 329 330 331 332 333

    if (!(context = context_new(basecontext))) {
        virReportSystemError(errno,
                             _("Unable to parse base SELinux context '%s'"),
                             basecontext);
        goto cleanup;
    }

334 335 336 337 338 339 340 341
    if (context_user_set(context,
                         context_user_get(ourContext)) != 0) {
        virReportSystemError(errno,
                             _("Unable to set SELinux context user '%s'"),
                             context_user_get(ourContext));
        goto cleanup;
    }

342 343
    if (!isObjectContext &&
        context_role_set(context,
344 345
                         context_role_get(ourContext)) != 0) {
        virReportSystemError(errno,
346
                             _("Unable to set SELinux context role '%s'"),
347 348 349 350
                             context_role_get(ourContext));
        goto cleanup;
    }

351 352 353 354 355 356 357 358 359 360 361 362 363 364 365
    if (context_range_set(context, mcs) != 0) {
        virReportSystemError(errno,
                             _("Unable to set SELinux context MCS '%s'"),
                             mcs);
        goto cleanup;
    }
    if (!(str = context_str(context))) {
        virReportSystemError(errno, "%s",
                             _("Unable to format SELinux context"));
        goto cleanup;
    }
    if (!(ret = strdup(str))) {
        virReportOOMError();
        goto cleanup;
    }
366
    VIR_DEBUG("Generated context '%s'",  ret);
367
cleanup:
368 369
    freecon(ourSecContext);
    context_free(ourContext);
370 371
    context_free(context);
    return ret;
372 373
}

374

375
#ifdef HAVE_SELINUX_LXC_CONTEXTS_PATH
376
static int
377
virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
378 379 380 381 382 383 384
{
    virConfValuePtr scon = NULL;
    virConfValuePtr tcon = NULL;
    virConfValuePtr dcon = NULL;
    virConfPtr selinux_conf;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

385 386
    data->skipAllLabel = true;

387
# if HAVE_SELINUX_LABEL_H
388 389 390 391 392 393
    data->label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
    if (!data->label_handle) {
        virReportSystemError(errno, "%s",
                             _("cannot open SELinux label_handle"));
        return -1;
    }
394
# endif
395

396 397 398 399 400
    selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
    if (!selinux_conf) {
        virReportSystemError(errno,
                             _("cannot open SELinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
401
        goto error;
402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438
    }

    scon = virConfGetValue(selinux_conf, "process");
    if (! scon || scon->type != VIR_CONF_STRING || (! scon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'process' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

    tcon = virConfGetValue(selinux_conf, "file");
    if (! tcon || tcon->type != VIR_CONF_STRING || (! tcon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

    dcon = virConfGetValue(selinux_conf, "content");
    if (! dcon || dcon->type != VIR_CONF_STRING || (! dcon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

    data->domain_context = strdup(scon->str);
    data->file_context = strdup(tcon->str);
    data->content_context = strdup(dcon->str);
    if (!data->domain_context ||
        !data->file_context ||
        !data->content_context) {
        virReportSystemError(errno,
                             _("cannot allocate memory for LXC SELinux contexts '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }
439 440 441 442

    if (!(data->mcs = virHashCreate(10, NULL)))
        goto error;

443 444 445 446
    virConfFree(selinux_conf);
    return 0;

error:
447
# if HAVE_SELINUX_LABEL_H
448
    selabel_close(data->label_handle);
449
# endif
450 451 452 453
    virConfFree(selinux_conf);
    VIR_FREE(data->domain_context);
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);
454
    virHashFree(data->mcs);
455 456
    return -1;
}
457 458
#else
static int
459
virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
460 461 462 463 464 465
{
    virReportSystemError(ENOSYS, "%s",
                         _("libselinux does not support LXC contexts path"));
    return -1;
}
#endif
466 467 468


static int
469
virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
470
{
471 472
    char *ptr;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
473

474 475
    data->skipAllLabel = false;

476 477 478 479 480 481 482 483 484
#if HAVE_SELINUX_LABEL_H
    data->label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
    if (!data->label_handle) {
        virReportSystemError(errno, "%s",
                             _("cannot open SELinux label_handle"));
        return -1;
    }
#endif

485
    if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
486
        virReportSystemError(errno,
487
                             _("cannot read SELinux virtual domain context file '%s'"),
488
                             selinux_virtual_domain_context_path());
489
        goto error;
490 491
    }

492
    ptr = strchrnul(data->domain_context, '\n');
493
    if (ptr && *ptr == '\n') {
494
        *ptr = '\0';
495 496 497 498 499 500 501 502 503 504 505 506 507 508 509
        ptr++;
        if (*ptr != '\0') {
            data->alt_domain_context = strdup(ptr);
            if (!data->alt_domain_context) {
                virReportOOMError();
                goto error;
            }
            ptr = strchrnul(data->alt_domain_context, '\n');
            if (ptr && *ptr == '\n')
                *ptr = '\0';
        }
    }
    VIR_DEBUG("Loaded domain context '%s', alt domain context '%s'",
              data->domain_context, NULLSTR(data->alt_domain_context));

510

511
    if (virFileReadAll(selinux_virtual_image_context_path(), 2*MAX_CONTEXT, &(data->file_context)) < 0) {
512
        virReportSystemError(errno,
513 514
                             _("cannot read SELinux virtual image context file %s"),
                             selinux_virtual_image_context_path());
515
        goto error;
516 517
    }

518 519
    ptr = strchrnul(data->file_context, '\n');
    if (ptr && *ptr == '\n') {
520
        *ptr = '\0';
521 522 523 524 525 526 527
        data->content_context = strdup(ptr+1);
        if (!data->content_context) {
            virReportOOMError();
            goto error;
        }
        ptr = strchrnul(data->content_context, '\n');
        if (ptr && *ptr == '\n')
528 529
            *ptr = '\0';
    }
530

531 532 533
    VIR_DEBUG("Loaded file context '%s', content context '%s'",
              data->file_context, data->content_context);

534 535 536
    if (!(data->mcs = virHashCreate(10, NULL)))
        goto error;

537
    return 0;
538 539

error:
540 541 542
#if HAVE_SELINUX_LABEL_H
    selabel_close(data->label_handle);
#endif
543
    VIR_FREE(data->domain_context);
544
    VIR_FREE(data->alt_domain_context);
545 546
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);
547
    virHashFree(data->mcs);
548
    return -1;
549 550
}

551 552

static int
553
virSecuritySELinuxInitialize(virSecurityManagerPtr mgr)
554 555 556
{
    VIR_DEBUG("SELinuxInitialize %s", virSecurityManagerGetDriver(mgr));
    if (STREQ(virSecurityManagerGetDriver(mgr),  "LXC")) {
557
        return virSecuritySELinuxLXCInitialize(mgr);
558
    } else {
559
        return virSecuritySELinuxQEMUInitialize(mgr);
560 561 562 563
    }
}


564
static int
565 566
virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
                                   virDomainDefPtr def)
567 568
{
    int rc = -1;
569
    char *mcs = NULL;
570
    char *scontext = NULL;
571
    context_t ctx = NULL;
572
    const char *range;
573 574
    virSecurityLabelDefPtr seclabel;
    virSecuritySELinuxDataPtr data;
575
    const char *baselabel;
576 577
    char *sens = NULL;
    int catMin, catMax;
578

579 580 581 582 583 584 585 586 587 588
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL) {
        return rc;
    }

    data = virSecurityManagerGetPrivateData(mgr);

    VIR_DEBUG("label=%s", virSecurityManagerGetDriver(mgr));
    if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
        seclabel->label) {
589 590
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       "%s", _("security label already defined for VM"));
591
        return rc;
D
Daniel P. Berrange 已提交
592
    }
593

594
    if (seclabel->imagelabel) {
595 596
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       "%s", _("security image label already defined for VM"));
597 598 599
        return rc;
    }

600 601
    if (seclabel->model &&
        STRNEQ(seclabel->model, SECURITY_SELINUX_NAME)) {
602 603
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label model %s is not supported with selinux"),
604
                       seclabel->model);
605 606 607
        return rc;
    }

608
    VIR_DEBUG("type=%d", seclabel->type);
609

610
    switch (seclabel->type) {
611
    case VIR_DOMAIN_SECLABEL_STATIC:
612
        if (!(ctx = context_new(seclabel->label))) {
613 614
            virReportSystemError(errno,
                                 _("unable to allocate socket security context '%s'"),
615
                                 seclabel->label);
616
            return rc;
617 618
        }

619
        range = context_range_get(ctx);
620 621 622 623 624
        if (!range ||
            !(mcs = strdup(range))) {
            virReportOOMError();
            goto cleanup;
        }
625 626 627
        break;

    case VIR_DOMAIN_SECLABEL_DYNAMIC:
628 629 630 631 632 633 634 635 636
        if (virSecuritySELinuxMCSGetProcessRange(&sens,
                                                 &catMin,
                                                 &catMax) < 0)
            goto cleanup;

        if (!(mcs = virSecuritySELinuxMCSFind(mgr,
                                              sens,
                                              catMin,
                                              catMax)))
637 638 639 640
            goto cleanup;

        if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
            goto cleanup;
641

642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661
        baselabel = seclabel->baselabel;
        if (!baselabel) {
            if (def->virtType == VIR_DOMAIN_VIRT_QEMU) {
                if (data->alt_domain_context == NULL) {
                    static bool warned = false;
                    if (!warned) {
                        VIR_WARN("SELinux policy does not define a domain type for QEMU TCG. "
                                 "Guest startup may be denied due to missing 'execmem' privilege "
                                 "unless the 'virt_use_execmem' policy boolean is enabled");
                        warned = true;
                    }
                    baselabel = data->domain_context;
                } else {
                    baselabel = data->alt_domain_context;
                }
            } else {
                baselabel = data->domain_context;
            }
        }

662
        seclabel->label =
663
            virSecuritySELinuxGenNewContext(baselabel, mcs, false);
664
        if (!seclabel->label)  {
665 666
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("cannot generate selinux context for %s"), mcs);
667
            goto cleanup;
668
        }
669 670 671 672 673 674 675
        break;

    case VIR_DOMAIN_SECLABEL_NONE:
        /* no op */
        break;

    default:
676 677
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unexpected security label type '%s'"),
678
                       virDomainSeclabelTypeToString(seclabel->type));
679
        goto cleanup;
D
Daniel P. Berrange 已提交
680
    }
681

682
    if (!seclabel->norelabel) {
683
        seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
684 685 686
                                                               mcs,
                                                               true);
        if (!seclabel->imagelabel)  {
687 688
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("cannot generate selinux context for %s"), mcs);
689
            goto cleanup;
690
        }
691 692
    }

693 694
    if (!seclabel->model &&
        !(seclabel->model = strdup(SECURITY_SELINUX_NAME))) {
695
        virReportOOMError();
696
        goto cleanup;
D
Daniel P. Berrange 已提交
697 698
    }

699
    rc = 0;
700 701 702

cleanup:
    if (rc != 0) {
703 704 705 706 707 708
        if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
            VIR_FREE(seclabel->label);
        VIR_FREE(seclabel->imagelabel);
        if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
            !seclabel->baselabel)
            VIR_FREE(seclabel->model);
709 710 711 712
    }

    if (ctx)
        context_free(ctx);
D
Daniel P. Berrange 已提交
713
    VIR_FREE(scontext);
714
    VIR_FREE(mcs);
715
    VIR_FREE(sens);
716 717

    VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
718 719 720 721
              NULLSTR(seclabel->model),
              NULLSTR(seclabel->label),
              NULLSTR(seclabel->imagelabel),
              NULLSTR(seclabel->baselabel));
722

723 724 725
    return rc;
}

726
static int
727
virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
728 729
                                       virDomainDefPtr def,
                                       pid_t pid)
730 731 732 733
{
    security_context_t pctx;
    context_t ctx = NULL;
    const char *mcs;
734
    int rv;
735
    virSecurityLabelDefPtr seclabel;
736

737 738 739 740 741 742
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL) {
        return -1;
    }

    if (seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
743 744
        return 0;

M
Martin Kletzander 已提交
745
    if (getpidcon_raw(pid, &pctx) == -1) {
746
        virReportSystemError(errno,
747
                             _("unable to get PID %d security context"), pid);
748 749 750 751
        return -1;
    }

    ctx = context_new(pctx);
752
    freecon(pctx);
753
    if (!ctx)
754
        goto error;
755 756 757

    mcs = context_range_get(ctx);
    if (!mcs)
758 759
        goto error;

760
    if ((rv = virSecuritySELinuxMCSAdd(mgr, mcs)) < 0)
761
        goto error;
762

763 764 765 766 767 768
    if (rv == 1) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("MCS level for existing domain label %s already reserved"),
                       (char*)pctx);
        goto error;
    }
769 770 771 772 773

    context_free(ctx);

    return 0;

774
error:
775 776 777 778 779
    context_free(ctx);
    return -1;
}


780
static int
781
virSecuritySELinuxSecurityDriverProbe(const char *virtDriver)
782
{
783 784 785
    if (!is_selinux_enabled())
        return SECURITY_DRIVER_DISABLE;

786 787 788 789 790 791
    if (virtDriver && STREQ(virtDriver, "LXC")) {
#if HAVE_SELINUX_LXC_CONTEXTS_PATH
        if (!virFileExists(selinux_lxc_contexts_path()))
#endif
            return SECURITY_DRIVER_DISABLE;
    }
792 793

    return SECURITY_DRIVER_ENABLE;
794 795
}

796

797
static int
798
virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr)
799
{
800
    return virSecuritySELinuxInitialize(mgr);
801 802
}

803

804
static int
805
virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr)
806
{
807 808 809 810 811
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

    if (!data)
        return 0;

812 813 814 815
#if HAVE_SELINUX_LABEL_H
    selabel_close(data->label_handle);
#endif

816 817
    virHashFree(data->mcs);

818
    VIR_FREE(data->domain_context);
819
    VIR_FREE(data->alt_domain_context);
820 821 822
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);

823 824 825 826
    return 0;
}


827 828
static const char *
virSecuritySELinuxSecurityGetModel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
829 830 831 832
{
    return SECURITY_SELINUX_NAME;
}

833 834
static const char *
virSecuritySELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
835 836 837 838 839
{
    /*
     * Where will the DOI come from?  SELinux configuration, or qemu
     * configuration? For the moment, we'll just set it to "0".
     */
840
    return SECURITY_SELINUX_VOID_DOI;
841 842 843
}

static int
844 845 846 847
virSecuritySELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                          virDomainDefPtr def ATTRIBUTE_UNUSED,
                                          pid_t pid,
                                          virSecurityLabelPtr sec)
848 849 850
{
    security_context_t ctx;

M
Martin Kletzander 已提交
851
    if (getpidcon_raw(pid, &ctx) == -1) {
852
        virReportSystemError(errno,
853
                             _("unable to get PID %d security context"),
854
                             pid);
855 856 857 858
        return -1;
    }

    if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
859 860 861 862
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label exceeds "
                         "maximum length: %d"),
                       VIR_SECURITY_LABEL_BUFLEN - 1);
863
        freecon(ctx);
864 865 866 867
        return -1;
    }

    strcpy(sec->label, (char *) ctx);
868
    freecon(ctx);
869

870
    VIR_DEBUG("label=%s", sec->label);
871 872
    sec->enforcing = security_getenforce();
    if (sec->enforcing == -1) {
873
        virReportSystemError(errno, "%s",
874
                             _("error calling security_getenforce()"));
875 876 877 878 879 880
        return -1;
    }

    return 0;
}

881 882 883
/* Attempt to change the label of PATH to TCON.  If OPTIONAL is true,
 * return 1 if labelling was not possible.  Otherwise, require a label
 * change, and return 0 for success, -1 for failure.  */
884
static int
885
virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
886
{
887
    security_context_t econ;
888

889 890
    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);

M
Martin Kletzander 已提交
891
    if (setfilecon_raw(path, tcon) < 0) {
892 893
        int setfilecon_errno = errno;

M
Martin Kletzander 已提交
894
        if (getfilecon_raw(path, &econ) >= 0) {
895 896 897
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
898
                return optional ? 1 : 0;
899 900 901
            }
            freecon(econ);
        }
902 903

        /* if the error complaint is related to an image hosted on
904 905
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
906
         * The user hopefully set one of the necessary SELinux
907
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
908
         */
909
        if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP) {
910
            virReportSystemError(setfilecon_errno,
911
                                 _("unable to set security context '%s' on '%s'"),
912
                                 tcon, path);
913 914
            if (security_getenforce() == 1)
                return -1;
915
        } else {
916 917 918 919 920 921 922 923 924 925 926 927 928 929
            const char *msg;
            if ((virStorageFileIsSharedFSType(path,
                                              VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
                security_get_boolean_active("virt_use_nfs") != 1) {
                msg = _("Setting security context '%s' on '%s' not supported. "
                        "Consider setting virt_use_nfs");
               if (security_getenforce() == 1)
                   VIR_WARN(msg, tcon, path);
               else
                   VIR_INFO(msg, tcon, path);
            } else {
                VIR_INFO("Setting security context '%s' on '%s' not supported",
                         tcon, path);
            }
930 931
            if (optional)
                return 1;
932
        }
933 934 935 936
    }
    return 0;
}

937
static int
938
virSecuritySELinuxSetFileconOptional(const char *path, char *tcon)
939
{
940
    return virSecuritySELinuxSetFileconHelper(path, tcon, true);
941 942 943
}

static int
944
virSecuritySELinuxSetFilecon(const char *path, char *tcon)
945
{
946
    return virSecuritySELinuxSetFileconHelper(path, tcon, false);
947 948
}

949
static int
950
virSecuritySELinuxFSetFilecon(int fd, char *tcon)
951 952 953 954 955
{
    security_context_t econ;

    VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);

M
Martin Kletzander 已提交
956
    if (fsetfilecon_raw(fd, tcon) < 0) {
957 958
        int fsetfilecon_errno = errno;

M
Martin Kletzander 已提交
959
        if (fgetfilecon_raw(fd, &econ) >= 0) {
960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
                return 0;
            }
            freecon(econ);
        }

        /* if the error complaint is related to an image hosted on
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
         * The user hopefully set one of the necessary SELinux
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
         */
        if (fsetfilecon_errno != EOPNOTSUPP) {
            virReportSystemError(fsetfilecon_errno,
                                 _("unable to set security context '%s' on fd %d"),
                                 tcon, fd);
            if (security_getenforce() == 1)
                return -1;
        } else {
            VIR_INFO("Setting security context '%s' on fd %d not supported",
                     tcon, fd);
        }
    }
    return 0;
}

E
Eric Blake 已提交
988 989
/* Set fcon to the appropriate label for path and mode, or return -1.  */
static int
990
getContext(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
991
           const char *newpath, mode_t mode, security_context_t *fcon)
E
Eric Blake 已提交
992 993
{
#if HAVE_SELINUX_LABEL_H
994
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
E
Eric Blake 已提交
995

996
    return selabel_lookup_raw(data->label_handle, fcon, newpath, mode);
E
Eric Blake 已提交
997 998 999 1000 1001
#else
    return matchpathcon(newpath, mode, fcon);
#endif
}

1002 1003 1004

/* This method shouldn't raise errors, since they'll overwrite
 * errors that the caller(s) are already dealing with */
1005
static int
1006 1007
virSecuritySELinuxRestoreSecurityFileLabel(virSecurityManagerPtr mgr,
                                           const char *path)
1008
{
1009 1010 1011 1012
    struct stat buf;
    security_context_t fcon = NULL;
    int rc = -1;
    char *newpath = NULL;
1013
    char ebuf[1024];
1014

1015 1016
    VIR_INFO("Restoring SELinux context on '%s'", path);

1017
    if (virFileResolveLink(path, &newpath) < 0) {
1018 1019
        VIR_WARN("cannot resolve symlink %s: %s", path,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
1020
        goto err;
1021
    }
1022

1023
    if (stat(newpath, &buf) != 0) {
1024 1025
        VIR_WARN("cannot stat %s: %s", newpath,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
1026
        goto err;
1027
    }
D
Daniel P. Berrange 已提交
1028

1029
    if (getContext(mgr, newpath, buf.st_mode, &fcon) < 0) {
1030 1031 1032
        /* Any user created path likely does not have a default label,
         * which makes this an expected non error
         */
1033
        VIR_WARN("cannot lookup default selinux label for %s", newpath);
1034
        rc = 0;
1035
    } else {
1036
        rc = virSecuritySELinuxSetFilecon(newpath, fcon);
1037
    }
1038

1039
err:
1040
    freecon(fcon);
1041 1042
    VIR_FREE(newpath);
    return rc;
1043 1044
}

1045
static int
1046
virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
1047 1048 1049
                                               virDomainDefPtr def,
                                               virDomainDiskDefPtr disk,
                                               int migrated)
1050
{
1051 1052 1053 1054 1055 1056
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr disk_seclabel;

    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
        return -1;
1057

1058 1059 1060
    disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
                                                        SECURITY_SELINUX_NAME);
    if (seclabel->norelabel || (disk_seclabel && disk_seclabel->norelabel))
1061 1062
        return 0;

1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073
    /* Don't restore labels on readoly/shared disks, because
     * other VMs may still be accessing these
     * Alternatively we could iterate over all running
     * domains and try to figure out if it is in use, but
     * this would not work for clustered filesystems, since
     * we can't see running VMs using the file on other nodes
     * Safest bet is thus to skip the restore step.
     */
    if (disk->readonly || disk->shared)
        return 0;

1074
    if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
1075 1076
        return 0;

1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092
    /* If we have a shared FS & doing migrated, we must not
     * change ownership, because that kills access on the
     * destination host which is sub-optimal for the guest
     * VM's I/O attempts :-)
     */
    if (migrated) {
        int rc = virStorageFileIsSharedFS(disk->src);
        if (rc < 0)
            return -1;
        if (rc == 1) {
            VIR_DEBUG("Skipping image label restore on %s because FS is shared",
                      disk->src);
            return 0;
        }
    }

1093
    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, disk->src);
1094 1095
}

1096 1097

static int
1098 1099 1100
virSecuritySELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
                                            virDomainDefPtr def,
                                            virDomainDiskDefPtr disk)
1101
{
1102
    return virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0);
1103 1104 1105
}


1106
static int
1107 1108 1109 1110
virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
                                       const char *path,
                                       size_t depth,
                                       void *opaque)
1111
{
1112 1113
    int ret;
    virSecurityDeviceLabelDefPtr disk_seclabel;
1114 1115 1116
    virSecuritySELinuxCallbackDataPtr cbdata = opaque;
    const virSecurityLabelDefPtr secdef = cbdata->secdef;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(cbdata->manager);
1117

1118 1119 1120 1121
    disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
                                                        SECURITY_SELINUX_NAME);

    if (disk_seclabel && disk_seclabel->norelabel)
1122 1123
        return 0;

1124 1125 1126
    if (disk_seclabel && !disk_seclabel->norelabel &&
        disk_seclabel->label) {
        ret = virSecuritySELinuxSetFilecon(path, disk_seclabel->label);
1127
    } else if (depth == 0) {
1128

1129
        if (disk->shared) {
1130
            ret = virSecuritySELinuxSetFileconOptional(path, data->file_context);
1131
        } else if (disk->readonly) {
1132
            ret = virSecuritySELinuxSetFileconOptional(path, data->content_context);
1133
        } else if (secdef->imagelabel) {
1134
            ret = virSecuritySELinuxSetFileconOptional(path, secdef->imagelabel);
1135
        } else {
1136
            ret = 0;
1137 1138
        }
    } else {
1139
        ret = virSecuritySELinuxSetFileconOptional(path, data->content_context);
1140
    }
1141
    if (ret == 1 && !disk_seclabel) {
1142 1143
        /* If we failed to set a label, but virt_use_nfs let us
         * proceed anyway, then we don't need to relabel later.  */
1144 1145 1146
        disk_seclabel =
            virDomainDiskDefAddSecurityLabelDef(disk, SECURITY_SELINUX_NAME);
        if (!disk_seclabel)
1147
            return -1;
1148
        disk_seclabel->norelabel = true;
1149
        ret = 0;
1150
    }
1151
    return ret;
1152 1153
}

1154
static int
1155 1156 1157
virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
                                        virDomainDefPtr def,
                                        virDomainDiskDefPtr disk)
1158 1159

{
1160 1161
    virSecuritySELinuxCallbackData cbdata;
    cbdata.manager = mgr;
1162
    cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1163

1164 1165
    if (cbdata.secdef == NULL)
        return -1;
1166

1167
    if (cbdata.secdef->norelabel)
1168 1169
        return 0;

1170 1171 1172
    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
        return 0;

1173
    return virDomainDiskDefForeachPath(disk,
1174
                                       true,
1175
                                       virSecuritySELinuxSetSecurityFileLabel,
1176
                                       &cbdata);
1177 1178
}

1179 1180

static int
1181
virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
1182
                                      const char *file, void *opaque)
1183
{
1184
    virSecurityLabelDefPtr secdef;
1185
    virDomainDefPtr def = opaque;
1186

1187 1188 1189
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1190
    return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
1191 1192 1193
}

static int
1194
virSecuritySELinuxSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
1195
                                      const char *file, void *opaque)
1196
{
1197
    virSecurityLabelDefPtr secdef;
1198
    virDomainDefPtr def = opaque;
1199 1200 1201 1202

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1203

1204
    return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
1205 1206
}

1207

1208
static int
1209 1210 1211
virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
                                                virDomainHostdevDefPtr dev,
                                                const char *vroot)
1212 1213 1214 1215 1216 1217

{
    int ret = -1;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
1218
        virUSBDevicePtr usb;
1219

1220 1221 1222
        if (dev->missing)
            return 0;

1223 1224 1225
        usb = virUSBDeviceNew(dev->source.subsys.u.usb.bus,
                              dev->source.subsys.u.usb.device,
                              vroot);
1226 1227
        if (!usb)
            goto done;
1228

1229 1230
        ret = virUSBDeviceFileIterate(usb, virSecuritySELinuxSetSecurityUSBLabel, def);
        virUSBDeviceFree(usb);
M
Mark McLoughlin 已提交
1231
        break;
1232 1233 1234
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
1235 1236 1237 1238 1239
        virPCIDevicePtr pci =
            virPCIDeviceNew(dev->source.subsys.u.pci.domain,
                            dev->source.subsys.u.pci.bus,
                            dev->source.subsys.u.pci.slot,
                            dev->source.subsys.u.pci.function);
1240 1241 1242 1243

        if (!pci)
            goto done;

1244 1245
        ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
        virPCIDeviceFree(pci);
1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}

1259

1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318
static int
virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
                                              virDomainHostdevDefPtr dev,
                                              const char *vroot)
{
    int ret = -1;
    virSecurityLabelDefPtr secdef;
    char *path;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    switch (dev->source.caps.type) {
    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
                            dev->source.caps.u.storage.block) < 0) {
                virReportOOMError();
                return -1;
            }
        } else {
            if (!(path = strdup(dev->source.caps.u.storage.block))) {
                virReportOOMError();
                return -1;
            }
        }
        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
        VIR_FREE(path);
        break;
    }

    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
                            dev->source.caps.u.misc.chardev) < 0) {
                virReportOOMError();
                return -1;
            }
        } else {
            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
                virReportOOMError();
                return -1;
            }
        }
        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
        VIR_FREE(path);
        break;
    }

    default:
        ret = 0;
        break;
    }

    return ret;
}


1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338
static int
virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                          virDomainDefPtr def,
                                          virDomainHostdevDefPtr dev,
                                          const char *vroot)

{
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    if (secdef->norelabel)
        return 0;

    switch (dev->mode) {
    case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
        return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);

1339 1340 1341
    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
        return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);

1342 1343 1344 1345 1346 1347
    default:
        return 0;
    }
}


1348
static int
1349
virSecuritySELinuxRestoreSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
1350
                                          const char *file,
1351
                                          void *opaque)
1352
{
1353 1354 1355
    virSecurityManagerPtr mgr = opaque;

    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
1356 1357 1358
}

static int
1359
virSecuritySELinuxRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
1360
                                          const char *file,
1361
                                          void *opaque)
1362
{
1363 1364 1365
    virSecurityManagerPtr mgr = opaque;

    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
1366 1367
}

1368

1369
static int
1370 1371
virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
                                                    virDomainHostdevDefPtr dev,
1372
                                                    const char *vroot)
1373 1374 1375 1376 1377 1378

{
    int ret = -1;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
1379
        virUSBDevicePtr usb;
1380 1381 1382

        if (dev->missing)
            return 0;
1383

1384 1385 1386
        usb = virUSBDeviceNew(dev->source.subsys.u.usb.bus,
                              dev->source.subsys.u.usb.device,
                              vroot);
1387 1388 1389
        if (!usb)
            goto done;

1390 1391
        ret = virUSBDeviceFileIterate(usb, virSecuritySELinuxRestoreSecurityUSBLabel, mgr);
        virUSBDeviceFree(usb);
1392 1393 1394 1395 1396

        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
1397 1398 1399 1400 1401
        virPCIDevicePtr pci =
            virPCIDeviceNew(dev->source.subsys.u.pci.domain,
                            dev->source.subsys.u.pci.bus,
                            dev->source.subsys.u.pci.slot,
                            dev->source.subsys.u.pci.function);
1402 1403 1404 1405

        if (!pci)
            goto done;

1406 1407
        ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
        virPCIDeviceFree(pci);
1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}

1421

1422
static int
1423 1424
virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virSecurityManagerPtr mgr,
                                                  virDomainHostdevDefPtr dev,
1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443
                                                  const char *vroot)
{
    int ret = -1;
    char *path;

    switch (dev->source.caps.type) {
    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
                            dev->source.caps.u.storage.block) < 0) {
                virReportOOMError();
                return -1;
            }
        } else {
            if (!(path = strdup(dev->source.caps.u.storage.block))) {
                virReportOOMError();
                return -1;
            }
        }
1444
        ret = virSecuritySELinuxRestoreSecurityFileLabel(mgr, path);
1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461
        VIR_FREE(path);
        break;
    }

    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
                            dev->source.caps.u.misc.chardev) < 0) {
                virReportOOMError();
                return -1;
            }
        } else {
            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
                virReportOOMError();
                return -1;
            }
        }
1462
        ret = virSecuritySELinuxRestoreSecurityFileLabel(mgr, path);
1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475
        VIR_FREE(path);
        break;
    }

    default:
        ret = 0;
        break;
    }

    return ret;
}


1476
static int
1477
virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493
                                              virDomainDefPtr def,
                                              virDomainHostdevDefPtr dev,
                                              const char *vroot)

{
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    if (secdef->norelabel)
        return 0;

    switch (dev->mode) {
    case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
1494
        return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(mgr, dev, vroot);
1495

1496
    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
1497
        return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(mgr, dev, vroot);
1498

1499 1500 1501 1502 1503 1504
    default:
        return 0;
    }
}


1505
static int
1506
virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
1507 1508
                                          virDomainChrDefPtr dev,
                                          virDomainChrSourceDefPtr dev_source)
1509 1510

{
1511 1512 1513
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
    char *imagelabel = NULL;
1514 1515 1516
    char *in = NULL, *out = NULL;
    int ret = -1;

1517 1518
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
1519 1520
        return -1;

1521 1522 1523 1524 1525
    if (dev)
        chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                          SECURITY_SELINUX_NAME);

    if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
1526 1527
        return 0;

1528 1529 1530 1531 1532 1533
    if (chr_seclabel)
        imagelabel = chr_seclabel->label;
    if (!imagelabel)
        imagelabel = seclabel->imagelabel;

    switch (dev_source->type) {
1534 1535
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546
        ret = virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                           imagelabel);
        break;

    case VIR_DOMAIN_CHR_TYPE_UNIX:
        if (!dev_source->data.nix.listen) {
            if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                             imagelabel) < 0)
                goto done;
        }
        ret = 0;
1547 1548 1549
        break;

    case VIR_DOMAIN_CHR_TYPE_PIPE:
1550 1551
        if ((virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0) ||
            (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0)) {
1552 1553 1554 1555
            virReportOOMError();
            goto done;
        }
        if (virFileExists(in) && virFileExists(out)) {
1556 1557
            if ((virSecuritySELinuxSetFilecon(in, imagelabel) < 0) ||
                (virSecuritySELinuxSetFilecon(out, imagelabel) < 0)) {
1558
                goto done;
1559
            }
1560 1561
        } else if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                                imagelabel) < 0) {
1562
            goto done;
1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578
        }
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}

static int
1579 1580
virSecuritySELinuxRestoreSecurityChardevLabel(virSecurityManagerPtr mgr,
                                              virDomainDefPtr def,
1581 1582
                                              virDomainChrDefPtr dev,
                                              virDomainChrSourceDefPtr dev_source)
1583 1584

{
1585 1586
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
1587 1588 1589
    char *in = NULL, *out = NULL;
    int ret = -1;

1590 1591
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
1592 1593
        return -1;

1594 1595 1596 1597
    if (dev)
        chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                          SECURITY_SELINUX_NAME);
    if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
1598 1599
        return 0;

1600
    switch (dev_source->type) {
1601 1602
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
1603
        if (virSecuritySELinuxRestoreSecurityFileLabel(mgr, dev_source->data.file.path) < 0)
1604 1605
            goto done;
        ret = 0;
1606
        break;
1607 1608 1609

    case VIR_DOMAIN_CHR_TYPE_UNIX:
        if (!dev_source->data.nix.listen) {
1610
            if (virSecuritySELinuxRestoreSecurityFileLabel(mgr, dev_source->data.file.path) < 0)
1611 1612 1613 1614 1615
                goto done;
        }
        ret = 0;
        break;

1616
    case VIR_DOMAIN_CHR_TYPE_PIPE:
1617 1618
        if ((virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0) ||
            (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0)) {
1619 1620 1621
            virReportOOMError();
            goto done;
        }
1622
        if (virFileExists(in) && virFileExists(out)) {
1623 1624
            if ((virSecuritySELinuxRestoreSecurityFileLabel(mgr, out) < 0) ||
                (virSecuritySELinuxRestoreSecurityFileLabel(mgr, in) < 0)) {
1625 1626
                goto done;
            }
1627
        } else if (virSecuritySELinuxRestoreSecurityFileLabel(mgr, dev_source->data.file.path) < 0) {
1628
            goto done;
1629
        }
1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}


static int
1646 1647
virSecuritySELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
                                                 virDomainChrDefPtr dev,
1648
                                                 void *opaque)
1649
{
1650 1651
    virSecurityManagerPtr mgr = opaque;

1652 1653 1654 1655 1656
    /* This is taken care of by processing of def->serials */
    if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
        dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
        return 0;

1657
    return virSecuritySELinuxRestoreSecurityChardevLabel(mgr, def, dev,
1658
                                                         &dev->source);
1659 1660 1661
}


E
Eric Blake 已提交
1662
static int
1663 1664
virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
                                                   virDomainSmartcardDefPtr dev,
1665
                                                   void *opaque)
E
Eric Blake 已提交
1666
{
1667
    virSecurityManagerPtr mgr = opaque;
E
Eric Blake 已提交
1668 1669 1670 1671 1672 1673 1674 1675 1676 1677
    const char *database;

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
1678
        return virSecuritySELinuxRestoreSecurityFileLabel(mgr, database);
E
Eric Blake 已提交
1679 1680

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
1681
        return virSecuritySELinuxRestoreSecurityChardevLabel(mgr, def, NULL, &dev->data.passthru);
E
Eric Blake 已提交
1682 1683

    default:
1684 1685 1686
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unknown smartcard type %d"),
                       dev->type);
E
Eric Blake 已提交
1687 1688 1689 1690 1691 1692 1693
        return -1;
    }

    return 0;
}


1694
static int
1695
virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
1696 1697
                                          virDomainDefPtr def,
                                          int migrated ATTRIBUTE_UNUSED)
1698
{
1699
    virSecurityLabelDefPtr secdef;
1700
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
1701 1702
    int i;
    int rc = 0;
1703

1704
    VIR_DEBUG("Restoring security label on %s", def->name);
1705

1706 1707 1708 1709
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

1710
    if (secdef->norelabel || data->skipAllLabel)
1711 1712
        return 0;

1713
    for (i = 0 ; i < def->nhostdevs ; i++) {
1714 1715
        if (virSecuritySELinuxRestoreSecurityHostdevLabel(mgr,
                                                          def,
1716 1717
                                                          def->hostdevs[i],
                                                          NULL) < 0)
1718
            rc = -1;
1719
    }
1720
    for (i = 0 ; i < def->ndisks ; i++) {
1721 1722 1723 1724
        if (virSecuritySELinuxRestoreSecurityImageLabelInt(mgr,
                                                           def,
                                                           def->disks[i],
                                                           migrated) < 0)
1725 1726
            rc = -1;
    }
1727

1728
    if (virDomainChrDefForeach(def,
1729
                               false,
1730
                               virSecuritySELinuxRestoreSecurityChardevCallback,
1731
                               mgr) < 0)
1732 1733
        rc = -1;

1734
    if (virDomainSmartcardDefForeach(def,
E
Eric Blake 已提交
1735
                                     false,
1736
                                     virSecuritySELinuxRestoreSecuritySmartcardCallback,
1737
                                     mgr) < 0)
E
Eric Blake 已提交
1738 1739
        rc = -1;

1740
    if (def->os.kernel &&
1741
        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.kernel) < 0)
1742 1743
        rc = -1;

1744
    if (def->os.initrd &&
1745
        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.initrd) < 0)
1746 1747
        rc = -1;

1748 1749 1750 1751
    return rc;
}

static int
1752
virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
1753
                                       virDomainDefPtr def)
1754
{
1755 1756 1757 1758 1759
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1760

1761 1762 1763 1764
    if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
        if (secdef->label != NULL) {
            context_t con = context_new(secdef->label);
            if (con) {
1765
                virSecuritySELinuxMCSRemove(mgr, context_range_get(con));
1766 1767 1768 1769 1770 1771
                context_free(con);
            }
        }
        VIR_FREE(secdef->label);
        if (!secdef->baselabel)
            VIR_FREE(secdef->model);
1772 1773 1774
    }
    VIR_FREE(secdef->imagelabel);

1775
    return 0;
1776 1777
}

1778 1779

static int
1780 1781 1782
virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                     virDomainDefPtr def,
                                     const char *savefile)
1783
{
1784 1785 1786 1787 1788
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1789

1790
    if (secdef->norelabel)
1791 1792
        return 0;

1793
    return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
1794 1795 1796 1797
}


static int
1798
virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr,
1799 1800
                                         virDomainDefPtr def,
                                         const char *savefile)
1801
{
1802 1803 1804 1805 1806
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1807

1808
    if (secdef->norelabel)
1809 1810
        return 0;

1811
    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, savefile);
1812 1813 1814
}


1815
static int
1816 1817
virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                 virDomainDefPtr def)
1818
{
1819 1820 1821 1822 1823 1824
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

1825
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
1826 1827 1828 1829
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
1830
                       secdef->model, SECURITY_SELINUX_NAME);
1831 1832 1833
        return -1;
    }

1834 1835
    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
        if (security_check_context(secdef->label) != 0) {
1836 1837
            virReportError(VIR_ERR_XML_ERROR,
                           _("Invalid security label %s"), secdef->label);
1838 1839 1840 1841 1842 1843
            return -1;
        }
    }
    return 0;
}

1844
static int
1845
virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1846
                                          virDomainDefPtr def)
1847 1848
{
    /* TODO: verify DOI */
1849 1850 1851 1852 1853
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1854

1855
    if (secdef->label == NULL)
1856 1857
        return 0;

1858
    VIR_DEBUG("label=%s", secdef->label);
1859
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
1860 1861 1862 1863
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
1864
                       secdef->model, SECURITY_SELINUX_NAME);
1865
        if (security_getenforce() == 1)
1866
            return -1;
1867 1868
    }

M
Martin Kletzander 已提交
1869
    if (setexeccon_raw(secdef->label) == -1) {
1870
        virReportSystemError(errno,
1871 1872
                             _("unable to set security context '%s'"),
                             secdef->label);
1873
        if (security_getenforce() == 1)
1874
            return -1;
1875 1876
    }

1877 1878 1879
    return 0;
}

1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910
static int
virSecuritySELinuxSetSecurityChildProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                               virDomainDefPtr def,
                                               virCommandPtr cmd)
{
    /* TODO: verify DOI */
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    if (secdef->label == NULL)
        return 0;

    VIR_DEBUG("label=%s", secdef->label);
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
                       secdef->model, SECURITY_SELINUX_NAME);
        if (security_getenforce() == 1)
            return -1;
    }

    /* save in cmd to be set after fork/before child process is exec'ed */
    virCommandSetSELinuxLabel(cmd, secdef->label);
    return 0;
}

1911
static int
1912
virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1913
                                               virDomainDefPtr def)
1914 1915
{
    /* TODO: verify DOI */
1916
    virSecurityLabelDefPtr secdef;
1917
    security_context_t scon = NULL;
1918
    char *str = NULL;
1919 1920
    int rc = -1;

1921 1922 1923 1924 1925
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    if (secdef->label == NULL)
1926 1927
        return 0;

1928
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
1929 1930 1931 1932
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
1933
                       secdef->model, SECURITY_SELINUX_NAME);
1934 1935 1936
        goto done;
    }

M
Martin Kletzander 已提交
1937
    if (getcon_raw(&scon) == -1) {
1938 1939 1940 1941 1942 1943
        virReportSystemError(errno,
                             _("unable to get current process context '%s'"),
                             secdef->label);
        goto done;
    }

1944
    if (!(str = virSecuritySELinuxContextAddRange(secdef->label, scon)))
1945 1946
        goto done;

1947 1948
    VIR_DEBUG("Setting VM %s socket context %s", def->name, str);
    if (setsockcreatecon_raw(str) == -1) {
1949
        virReportSystemError(errno,
1950
                             _("unable to set socket security context '%s'"), str);
1951 1952 1953 1954 1955 1956 1957 1958 1959
        goto done;
    }

    rc = 0;
done:

    if (security_getenforce() != 1)
        rc = 0;
    freecon(scon);
1960
    VIR_FREE(str);
1961 1962 1963
    return rc;
}

1964
static int
1965
virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1966
                                         virDomainDefPtr vm)
1967
{
1968
    virSecurityLabelDefPtr secdef;
1969 1970
    int rc = -1;

1971 1972 1973 1974
    secdef = virDomainDefGetSecurityLabelDef(vm, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

1975 1976 1977
    if (secdef->label == NULL)
        return 0;

1978
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
1979 1980 1981 1982
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
1983
                       secdef->model, SECURITY_SELINUX_NAME);
1984 1985 1986 1987
        goto done;
    }

    VIR_DEBUG("Setting VM %s socket context %s",
1988
              vm->name, secdef->label);
M
Martin Kletzander 已提交
1989
    if (setsockcreatecon_raw(secdef->label) == -1) {
1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             secdef->label);
        goto done;
    }

    rc = 0;

done:
    if (security_getenforce() != 1)
        rc = 0;

    return rc;
}

2005
static int
2006
virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
2007
                                           virDomainDefPtr def)
2008 2009
{
    /* TODO: verify DOI */
2010 2011 2012 2013 2014
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
2015

2016
    if (secdef->label == NULL)
2017 2018
        return 0;

2019
    if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
2020 2021 2022 2023
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
2024
                       secdef->model, SECURITY_SELINUX_NAME);
2025 2026 2027 2028
        if (security_getenforce() == 1)
            return -1;
    }

M
Martin Kletzander 已提交
2029
    if (setsockcreatecon_raw(NULL) == -1) {
2030 2031 2032 2033 2034 2035 2036 2037 2038
        virReportSystemError(errno,
                             _("unable to clear socket security context '%s'"),
                             secdef->label);
        if (security_getenforce() == 1)
            return -1;
    }
    return 0;
}

2039 2040

static int
2041 2042 2043
virSecuritySELinuxSetSecurityChardevCallback(virDomainDefPtr def,
                                             virDomainChrDefPtr dev,
                                             void *opaque ATTRIBUTE_UNUSED)
2044
{
2045 2046 2047 2048 2049
    /* This is taken care of by processing of def->serials */
    if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
        dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
        return 0;

2050
    return virSecuritySELinuxSetSecurityChardevLabel(def, dev, &dev->source);
2051 2052 2053
}


E
Eric Blake 已提交
2054
static int
2055 2056 2057
virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
                                               virDomainSmartcardDefPtr dev,
                                               void *opaque)
E
Eric Blake 已提交
2058 2059
{
    const char *database;
2060 2061
    virSecurityManagerPtr mgr = opaque;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
E
Eric Blake 已提交
2062 2063 2064 2065 2066 2067 2068 2069 2070

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
2071
        return virSecuritySELinuxSetFilecon(database, data->content_context);
E
Eric Blake 已提交
2072 2073

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
2074
        return virSecuritySELinuxSetSecurityChardevLabel(def, NULL, &dev->data.passthru);
E
Eric Blake 已提交
2075 2076

    default:
2077 2078 2079
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unknown smartcard type %d"),
                       dev->type);
E
Eric Blake 已提交
2080 2081 2082 2083 2084 2085 2086
        return -1;
    }

    return 0;
}


2087
static int
2088 2089 2090
virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                                      virDomainDefPtr def,
                                      const char *stdin_path)
2091 2092
{
    int i;
2093 2094 2095 2096 2097 2098
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
2099

2100
    if (secdef->norelabel || data->skipAllLabel)
2101 2102
        return 0;

2103
    for (i = 0 ; i < def->ndisks ; i++) {
2104
        /* XXX fixme - we need to recursively label the entire tree :-( */
2105
        if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
2106
            VIR_WARN("Unable to relabel directory tree %s for disk %s",
2107
                     def->disks[i]->src, def->disks[i]->dst);
2108
            continue;
2109
        }
2110
        if (virSecuritySELinuxSetSecurityImageLabel(mgr,
2111
                                         def, def->disks[i]) < 0)
2112 2113
            return -1;
    }
2114
    /* XXX fixme process  def->fss if relabel == true */
2115

2116
    for (i = 0 ; i < def->nhostdevs ; i++) {
2117
        if (virSecuritySELinuxSetSecurityHostdevLabel(mgr,
2118 2119 2120
                                                      def,
                                                      def->hostdevs[i],
                                                      NULL) < 0)
2121
            return -1;
2122 2123
    }

2124
    if (virDomainChrDefForeach(def,
2125
                               true,
2126
                               virSecuritySELinuxSetSecurityChardevCallback,
2127
                               NULL) < 0)
2128 2129
        return -1;

2130
    if (virDomainSmartcardDefForeach(def,
E
Eric Blake 已提交
2131
                                     true,
2132
                                     virSecuritySELinuxSetSecuritySmartcardCallback,
2133
                                     mgr) < 0)
E
Eric Blake 已提交
2134 2135
        return -1;

2136
    if (def->os.kernel &&
2137
        virSecuritySELinuxSetFilecon(def->os.kernel, data->content_context) < 0)
2138 2139
        return -1;

2140
    if (def->os.initrd &&
2141
        virSecuritySELinuxSetFilecon(def->os.initrd, data->content_context) < 0)
2142 2143
        return -1;

2144
    if (stdin_path) {
2145
        if (virSecuritySELinuxSetFilecon(stdin_path, data->content_context) < 0 &&
2146 2147 2148 2149
            virStorageFileIsSharedFSType(stdin_path,
                                         VIR_STORAGE_FILE_SHFS_NFS) != 1)
            return -1;
    }
2150

2151 2152 2153
    return 0;
}

2154
static int
2155 2156 2157
virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                  virDomainDefPtr def,
                                  int fd)
2158
{
2159 2160 2161 2162 2163
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
2164 2165 2166 2167

    if (secdef->imagelabel == NULL)
        return 0;

2168
    return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
2169 2170
}

2171
static int
2172
virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199
                                virDomainDefPtr def,
                                int fd)
{
    struct stat buf;
    security_context_t fcon = NULL;
    virSecurityLabelDefPtr secdef;
    char *str = NULL;
    int rc = -1;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return rc;

    if (secdef->label == NULL)
        return 0;

    if (fstat(fd, &buf) < 0) {
        virReportSystemError(errno, _("cannot stat tap fd %d"), fd);
        goto cleanup;
    }

    if ((buf.st_mode & S_IFMT) != S_IFCHR) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("tap fd %d is not character device"), fd);
        goto cleanup;
    }

2200
    if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0) {
2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("cannot lookup default selinux label for tap fd %d"), fd);
        goto cleanup;
    }

    if (!(str = virSecuritySELinuxContextAddRange(secdef->label, fcon))) {
        goto cleanup;
    } else {
        rc = virSecuritySELinuxFSetFilecon(fd, str);
    }

cleanup:
    freecon(fcon);
    VIR_FREE(str);
    return rc;
}

2218 2219 2220 2221
static char *
virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
                                virDomainDefPtr def)
{
2222
    virSecurityLabelDefPtr secdef;
2223 2224 2225 2226 2227 2228
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    const char *range;
    context_t ctx = NULL;
    char *label = NULL;
    const char *mcs = NULL;

2229 2230 2231 2232
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        goto cleanup;

2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245
    if (secdef->label) {
        ctx = context_new(secdef->label);
        if (!ctx) {
            virReportOOMError();
            goto cleanup;
        }
        range = context_range_get(ctx);
        if (range) {
            mcs = strdup(range);
            if (!mcs) {
                virReportOOMError();
                goto cleanup;
            }
2246 2247
            if (!(label = virSecuritySELinuxGenNewContext(data->file_context,
                                                          mcs, true)))
2248 2249 2250 2251 2252 2253 2254 2255 2256 2257
                goto cleanup;
        }
    }

cleanup:
        context_free(ctx);
        VIR_FREE(mcs);
        return label;
}

2258 2259 2260 2261
static char *
virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
                                          virDomainDefPtr def)
{
2262
    char *opts = NULL;
2263 2264
    virSecurityLabelDefPtr secdef;

2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276
    if ((secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME))) {
        if (!secdef->imagelabel)
            secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr, def);

        if (secdef->imagelabel &&
            virAsprintf(&opts,
                        ",context=\"%s\"",
                        (const char*) secdef->imagelabel) < 0) {
            virReportOOMError();
            return NULL;
        }
    }
2277

2278 2279 2280 2281
    if (!opts &&
        !(opts = strdup(""))) {
        virReportOOMError();
        return NULL;
2282 2283
    }

2284 2285
    VIR_DEBUG("imageLabel=%s opts=%s",
              secdef ? secdef->imagelabel : "(null)", opts);
2286 2287 2288
    return opts;
}

2289
virSecurityDriver virSecurityDriverSELinux = {
2290 2291
    .privateDataLen                     = sizeof(virSecuritySELinuxData),
    .name                               = SECURITY_SELINUX_NAME,
2292 2293 2294
    .probe                              = virSecuritySELinuxSecurityDriverProbe,
    .open                               = virSecuritySELinuxSecurityDriverOpen,
    .close                              = virSecuritySELinuxSecurityDriverClose,
2295

2296 2297
    .getModel                           = virSecuritySELinuxSecurityGetModel,
    .getDOI                             = virSecuritySELinuxSecurityGetDOI,
2298

2299
    .domainSecurityVerify               = virSecuritySELinuxSecurityVerify,
2300

2301 2302
    .domainSetSecurityImageLabel        = virSecuritySELinuxSetSecurityImageLabel,
    .domainRestoreSecurityImageLabel    = virSecuritySELinuxRestoreSecurityImageLabel,
2303

2304 2305 2306
    .domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetSecurityDaemonSocketLabel,
    .domainSetSecuritySocketLabel       = virSecuritySELinuxSetSecuritySocketLabel,
    .domainClearSecuritySocketLabel     = virSecuritySELinuxClearSecuritySocketLabel,
2307

2308 2309 2310
    .domainGenSecurityLabel             = virSecuritySELinuxGenSecurityLabel,
    .domainReserveSecurityLabel         = virSecuritySELinuxReserveSecurityLabel,
    .domainReleaseSecurityLabel         = virSecuritySELinuxReleaseSecurityLabel,
2311

2312 2313
    .domainGetSecurityProcessLabel      = virSecuritySELinuxGetSecurityProcessLabel,
    .domainSetSecurityProcessLabel      = virSecuritySELinuxSetSecurityProcessLabel,
2314
    .domainSetSecurityChildProcessLabel = virSecuritySELinuxSetSecurityChildProcessLabel,
2315

2316 2317
    .domainSetSecurityAllLabel          = virSecuritySELinuxSetSecurityAllLabel,
    .domainRestoreSecurityAllLabel      = virSecuritySELinuxRestoreSecurityAllLabel,
2318

2319 2320
    .domainSetSecurityHostdevLabel      = virSecuritySELinuxSetSecurityHostdevLabel,
    .domainRestoreSecurityHostdevLabel  = virSecuritySELinuxRestoreSecurityHostdevLabel,
2321

2322 2323
    .domainSetSavedStateLabel           = virSecuritySELinuxSetSavedStateLabel,
    .domainRestoreSavedStateLabel       = virSecuritySELinuxRestoreSavedStateLabel,
2324

2325
    .domainSetSecurityImageFDLabel      = virSecuritySELinuxSetImageFDLabel,
2326
    .domainSetSecurityTapFDLabel        = virSecuritySELinuxSetTapFDLabel,
2327

2328
    .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
2329
};