You need to sign in or sign up before continuing.
security_selinux.c 37.7 KB
Newer Older
1
/*
2
 * Copyright (C) 2008-2011 Red Hat, Inc.
3 4 5 6 7 8 9 10
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * Authors:
 *     James Morris <jmorris@namei.org>
11
 *     Dan Walsh <dwalsh@redhat.com>
12 13 14 15 16 17 18 19 20
 *
 * SELinux security driver.
 */
#include <config.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
E
Eric Blake 已提交
21 22 23
#if HAVE_SELINUX_LABEL_H
# include <selinux/label.h>
#endif
24

25
#include "security_driver.h"
26 27 28 29
#include "security_selinux.h"
#include "virterror_internal.h"
#include "util.h"
#include "memory.h"
30
#include "logging.h"
31 32
#include "pci.h"
#include "hostusb.h"
33
#include "storage_file.h"
E
Eric Blake 已提交
34
#include "virfile.h"
D
Daniel P. Berrange 已提交
35 36 37

#define VIR_FROM_THIS VIR_FROM_SECURITY

38
static char default_domain_context[1024];
39
static char default_content_context[1024];
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
static char default_image_context[1024];
#define SECURITY_SELINUX_VOID_DOI       "0"
#define SECURITY_SELINUX_NAME "selinux"

/* TODO
   The data struct of used mcs should be replaced with a better data structure in the future
*/

struct MCS {
    char *mcs;
    struct MCS *next;
};
static struct MCS *mcsList = NULL;

static int
mcsAdd(const char *mcs)
{
    struct MCS *ptr;

    for (ptr = mcsList; ptr; ptr = ptr->next) {
D
Daniel P. Berrange 已提交
60
        if (STREQ(ptr->mcs, mcs))
61 62
            return -1;
    }
D
Daniel P. Berrange 已提交
63 64
    if (VIR_ALLOC(ptr) < 0)
        return -1;
65 66 67 68 69 70 71 72 73 74 75 76 77
    ptr->mcs = strdup(mcs);
    ptr->next = mcsList;
    mcsList = ptr;
    return 0;
}

static int
mcsRemove(const char *mcs)
{
    struct MCS *prevptr = NULL;
    struct MCS *ptr = NULL;

    for (ptr = mcsList; ptr; ptr = ptr->next) {
D
Daniel P. Berrange 已提交
78
        if (STREQ(ptr->mcs, mcs)) {
79 80 81 82 83
            if (prevptr)
                prevptr->next = ptr->next;
            else {
                mcsList = ptr->next;
            }
84 85
            VIR_FREE(ptr->mcs);
            VIR_FREE(ptr);
86 87 88 89 90 91 92 93 94 95 96 97
            return 0;
        }
        prevptr = ptr;
    }
    return -1;
}

static char *
SELinuxGenNewContext(const char *oldcontext, const char *mcs)
{
    char *newcontext = NULL;
    char *scontext = strdup(oldcontext);
98
    context_t con;
99
    if (!scontext) goto err;
100
    con = context_new(scontext);
101 102 103 104 105 106 107 108 109 110
    if (!con) goto err;
    context_range_set(con, mcs);
    newcontext = strdup(context_str(con));
    context_free(con);
err:
    freecon(scontext);
    return (newcontext);
}

static int
111
SELinuxInitialize(void)
112 113 114 115 116 117
{
    char *ptr = NULL;
    int fd = 0;

    fd = open(selinux_virtual_domain_context_path(), O_RDONLY);
    if (fd < 0) {
118
        virReportSystemError(errno,
119 120
                             _("cannot open SELinux virtual domain context file '%s'"),
                             selinux_virtual_domain_context_path());
121 122 123 124
        return -1;
    }

    if (saferead(fd, default_domain_context, sizeof(default_domain_context)) < 0) {
125
        virReportSystemError(errno,
126 127
                             _("cannot read SELinux virtual domain context file %s"),
                             selinux_virtual_domain_context_path());
128
        VIR_FORCE_CLOSE(fd);
129 130
        return -1;
    }
131
    VIR_FORCE_CLOSE(fd);
132 133 134 135 136

    ptr = strchrnul(default_domain_context, '\n');
    *ptr = '\0';

    if ((fd = open(selinux_virtual_image_context_path(), O_RDONLY)) < 0) {
137
        virReportSystemError(errno,
138 139
                             _("cannot open SELinux virtual image context file %s"),
                             selinux_virtual_image_context_path());
140 141 142 143
        return -1;
    }

    if (saferead(fd, default_image_context, sizeof(default_image_context)) < 0) {
144
        virReportSystemError(errno,
145 146
                             _("cannot read SELinux virtual image context file %s"),
                             selinux_virtual_image_context_path());
147
        VIR_FORCE_CLOSE(fd);
148 149
        return -1;
    }
150
    VIR_FORCE_CLOSE(fd);
151 152

    ptr = strchrnul(default_image_context, '\n');
153 154 155 156 157 158 159
    if (*ptr == '\n') {
        *ptr = '\0';
        strcpy(default_content_context, ptr+1);
        ptr = strchrnul(default_content_context, '\n');
        if (*ptr == '\n')
            *ptr = '\0';
    }
160 161 162 163
    return 0;
}

static int
164
SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
165
                        virDomainObjPtr vm)
166 167
{
    int rc = -1;
168
    char *mcs = NULL;
169 170 171
    char *scontext = NULL;
    int c1 = 0;
    int c2 = 0;
172
    context_t ctx = NULL;
173

174 175 176 177 178 179 180 181
    if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
        !vm->def->seclabel.baselabel &&
        vm->def->seclabel.model) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               "%s", _("security model already defined for VM"));
        return rc;
    }

182 183
    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
        vm->def->seclabel.label) {
184
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
185
                               "%s", _("security label already defined for VM"));
186
        return rc;
D
Daniel P. Berrange 已提交
187
    }
188

189 190 191 192 193 194
    if (vm->def->seclabel.imagelabel) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               "%s", _("security image label already defined for VM"));
        return rc;
    }

195 196 197 198 199 200 201 202
    if (vm->def->seclabel.model &&
        STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label model %s is not supported with selinux"),
                               vm->def->seclabel.model);
        return rc;
    }

203 204 205 206 207 208
    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
        if (!(ctx = context_new(vm->def->seclabel.label)) ) {
            virReportSystemError(errno,
                                 _("unable to allocate socket security context '%s'"),
                                 vm->def->seclabel.label);
            return rc;
209 210
        }

211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248
        const char *range = context_range_get(ctx);
        if (!range ||
            !(mcs = strdup(range))) {
            virReportOOMError();
            goto cleanup;
        }
    } else {
        do {
            c1 = virRandom(1024);
            c2 = virRandom(1024);

            if ( c1 == c2 ) {
                if (virAsprintf(&mcs, "s0:c%d", c1) < 0) {
                    virReportOOMError();
                    goto cleanup;
                }
            } else {
                if (c1 > c2) {
                    c1 ^= c2;
                    c2 ^= c1;
                    c1 ^= c2;
                }
                if (virAsprintf(&mcs, "s0:c%d,c%d", c1, c2) < 0) {
                    virReportOOMError();
                    goto cleanup;
                }
            }
        } while (mcsAdd(mcs) == -1);

        vm->def->seclabel.label =
            SELinuxGenNewContext(vm->def->seclabel.baselabel ?
                                 vm->def->seclabel.baselabel :
                                 default_domain_context, mcs);
        if (! vm->def->seclabel.label)  {
            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                   _("cannot generate selinux context for %s"), mcs);
            goto cleanup;
        }
D
Daniel P. Berrange 已提交
249
    }
250
    vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
251
    if (!vm->def->seclabel.imagelabel)  {
252
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
D
Daniel P. Berrange 已提交
253
                               _("cannot generate selinux context for %s"), mcs);
254
        goto cleanup;
D
Daniel P. Berrange 已提交
255
    }
256

257 258
    if (!vm->def->seclabel.model &&
        !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
259
        virReportOOMError();
260
        goto cleanup;
D
Daniel P. Berrange 已提交
261 262
    }

263
    rc = 0;
264 265 266 267 268 269 270 271 272 273 274 275 276

cleanup:
    if (rc != 0) {
        if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
            VIR_FREE(vm->def->seclabel.label);
        VIR_FREE(vm->def->seclabel.imagelabel);
        if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
            !vm->def->seclabel.baselabel)
            VIR_FREE(vm->def->seclabel.model);
    }

    if (ctx)
        context_free(ctx);
D
Daniel P. Berrange 已提交
277
    VIR_FREE(scontext);
278 279 280 281 282 283 284 285
    VIR_FREE(mcs);

    VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
              NULLSTR(vm->def->seclabel.model),
              NULLSTR(vm->def->seclabel.label),
              NULLSTR(vm->def->seclabel.imagelabel),
              NULLSTR(vm->def->seclabel.baselabel));

286 287 288
    return rc;
}

289
static int
290
SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
291
                            virDomainObjPtr vm)
292 293 294 295 296
{
    security_context_t pctx;
    context_t ctx = NULL;
    const char *mcs;

297 298 299
    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
        return 0;

300
    if (getpidcon(vm->pid, &pctx) == -1) {
301
        virReportSystemError(errno,
302
                             _("unable to get PID %d security context"), vm->pid);
303 304 305 306
        return -1;
    }

    ctx = context_new(pctx);
307
    freecon(pctx);
308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327
    if (!ctx)
        goto err;

    mcs = context_range_get(ctx);
    if (!mcs)
        goto err;

    mcsAdd(mcs);

    context_free(ctx);

    return 0;

err:
    context_free(ctx);
    return -1;
}



328 329 330 331 332 333 334
static int
SELinuxSecurityDriverProbe(void)
{
    return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
}

static int
335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352
SELinuxSecurityDriverOpen(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return SELinuxInitialize();
}

static int
SELinuxSecurityDriverClose(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return 0;
}


static const char *SELinuxSecurityGetModel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return SECURITY_SELINUX_NAME;
}

static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
353 354 355 356 357
{
    /*
     * Where will the DOI come from?  SELinux configuration, or qemu
     * configuration? For the moment, we'll just set it to "0".
     */
358
    return SECURITY_SELINUX_VOID_DOI;
359 360 361
}

static int
362
SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
363
                               virDomainObjPtr vm,
364
                               virSecurityLabelPtr sec)
365 366 367 368
{
    security_context_t ctx;

    if (getpidcon(vm->pid, &ctx) == -1) {
369
        virReportSystemError(errno,
370 371
                             _("unable to get PID %d security context"),
                             vm->pid);
372 373 374 375
        return -1;
    }

    if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
376
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
377
                               _("security label exceeds "
C
Cole Robinson 已提交
378
                                 "maximum length: %d"),
379
                               VIR_SECURITY_LABEL_BUFLEN - 1);
380
        freecon(ctx);
381 382 383 384
        return -1;
    }

    strcpy(sec->label, (char *) ctx);
385
    freecon(ctx);
386 387 388

    sec->enforcing = security_getenforce();
    if (sec->enforcing == -1) {
389
        virReportSystemError(errno, "%s",
390
                             _("error calling security_getenforce()"));
391 392 393 394 395 396 397
        return -1;
    }

    return 0;
}

static int
398
SELinuxSetFilecon(const char *path, char *tcon)
399
{
400
    security_context_t econ;
401

402 403
    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);

404
    if (setfilecon(path, tcon) < 0) {
405 406
        int setfilecon_errno = errno;

407 408 409 410 411 412 413 414
        if (getfilecon(path, &econ) >= 0) {
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
                return 0;
            }
            freecon(econ);
        }
415 416

        /* if the error complaint is related to an image hosted on
417 418
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
419
         * The user hopefully set one of the necessary SELinux
420
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
421 422
         */
        if (setfilecon_errno != EOPNOTSUPP) {
423
            virReportSystemError(setfilecon_errno,
424 425
                                 _("unable to set security context '%s' on '%s'"),
                                 tcon, path);
426 427
            if (security_getenforce() == 1)
                return -1;
428 429 430
        } else {
            VIR_INFO("Setting security context '%s' on '%s' not supported",
                     tcon, path);
431
        }
432 433 434 435
    }
    return 0;
}

436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474
static int
SELinuxFSetFilecon(int fd, char *tcon)
{
    security_context_t econ;

    VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);

    if (fsetfilecon(fd, tcon) < 0) {
        int fsetfilecon_errno = errno;

        if (fgetfilecon(fd, &econ) >= 0) {
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
                return 0;
            }
            freecon(econ);
        }

        /* if the error complaint is related to an image hosted on
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
         * The user hopefully set one of the necessary SELinux
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
         */
        if (fsetfilecon_errno != EOPNOTSUPP) {
            virReportSystemError(fsetfilecon_errno,
                                 _("unable to set security context '%s' on fd %d"),
                                 tcon, fd);
            if (security_getenforce() == 1)
                return -1;
        } else {
            VIR_INFO("Setting security context '%s' on fd %d not supported",
                     tcon, fd);
        }
    }
    return 0;
}

E
Eric Blake 已提交
475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493
/* Set fcon to the appropriate label for path and mode, or return -1.  */
static int
getContext(const char *newpath, mode_t mode, security_context_t *fcon)
{
#if HAVE_SELINUX_LABEL_H
    struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
    int ret;

    if (handle == NULL)
        return -1;

    ret = selabel_lookup(handle, fcon, newpath, mode);
    selabel_close(handle);
    return ret;
#else
    return matchpathcon(newpath, mode, fcon);
#endif
}

494 495 496

/* This method shouldn't raise errors, since they'll overwrite
 * errors that the caller(s) are already dealing with */
497
static int
498
SELinuxRestoreSecurityFileLabel(const char *path)
499
{
500 501 502 503
    struct stat buf;
    security_context_t fcon = NULL;
    int rc = -1;
    char *newpath = NULL;
504
    char ebuf[1024];
505

506 507
    VIR_INFO("Restoring SELinux context on '%s'", path);

508
    if (virFileResolveLink(path, &newpath) < 0) {
509 510
        VIR_WARN("cannot resolve symlink %s: %s", path,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
511
        goto err;
512
    }
513

514
    if (stat(newpath, &buf) != 0) {
515 516
        VIR_WARN("cannot stat %s: %s", newpath,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
517
        goto err;
518
    }
D
Daniel P. Berrange 已提交
519

E
Eric Blake 已提交
520
    if (getContext(newpath, buf.st_mode, &fcon) < 0) {
521
        VIR_WARN("cannot lookup default selinux label for %s", newpath);
522
    } else {
523
        rc = SELinuxSetFilecon(newpath, fcon);
524
    }
525

526
err:
527
    freecon(fcon);
528 529
    VIR_FREE(newpath);
    return rc;
530 531
}

532
static int
533
SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
534
                                    virDomainObjPtr vm,
535 536
                                    virDomainDiskDefPtr disk,
                                    int migrated)
537
{
538 539
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

540
    if (secdef->norelabel)
541 542
        return 0;

543 544 545 546 547 548 549 550 551 552 553
    /* Don't restore labels on readoly/shared disks, because
     * other VMs may still be accessing these
     * Alternatively we could iterate over all running
     * domains and try to figure out if it is in use, but
     * this would not work for clustered filesystems, since
     * we can't see running VMs using the file on other nodes
     * Safest bet is thus to skip the restore step.
     */
    if (disk->readonly || disk->shared)
        return 0;

554
    if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
555 556
        return 0;

557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572
    /* If we have a shared FS & doing migrated, we must not
     * change ownership, because that kills access on the
     * destination host which is sub-optimal for the guest
     * VM's I/O attempts :-)
     */
    if (migrated) {
        int rc = virStorageFileIsSharedFS(disk->src);
        if (rc < 0)
            return -1;
        if (rc == 1) {
            VIR_DEBUG("Skipping image label restore on %s because FS is shared",
                      disk->src);
            return 0;
        }
    }

573
    return SELinuxRestoreSecurityFileLabel(disk->src);
574 575
}

576 577

static int
578
SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
579
                                 virDomainObjPtr vm,
580 581
                                 virDomainDiskDefPtr disk)
{
582
    return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
583 584 585
}


586 587 588 589 590 591 592
static int
SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
                            const char *path,
                            size_t depth,
                            void *opaque)
{
    const virSecurityLabelDefPtr secdef = opaque;
593
    int ret;
594 595 596

    if (depth == 0) {
        if (disk->shared) {
597
            ret = SELinuxSetFilecon(path, default_image_context);
598
        } else if (disk->readonly) {
599
            ret = SELinuxSetFilecon(path, default_content_context);
600
        } else if (secdef->imagelabel) {
601
            ret = SELinuxSetFilecon(path, secdef->imagelabel);
602
        } else {
603
            ret = 0;
604 605
        }
    } else {
606
        ret = SELinuxSetFilecon(path, default_content_context);
607
    }
608 609 610 611 612
    if (ret < 0 &&
        virStorageFileIsSharedFSType(path,
                                     VIR_STORAGE_FILE_SHFS_NFS) == 1)
       ret = 0;
    return ret;
613 614
}

615
static int
616
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
617
                             virDomainObjPtr vm,
618
                             virDomainDiskDefPtr disk)
619 620 621

{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
622
    bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
623

624
    if (secdef->norelabel)
625 626
        return 0;

627
    return virDomainDiskDefForeachPath(disk,
628
                                       allowDiskFormatProbing,
629
                                       true,
630 631
                                       SELinuxSetSecurityFileLabel,
                                       secdef);
632 633
}

634 635

static int
636
SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
637 638 639 640 641
                           const char *file, void *opaque)
{
    virDomainObjPtr vm = opaque;
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

642
    return SELinuxSetFilecon(file, secdef->imagelabel);
643 644 645
}

static int
646
SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
647 648 649 650 651
                           const char *file, void *opaque)
{
    virDomainObjPtr vm = opaque;
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

652
    return SELinuxSetFilecon(file, secdef->imagelabel);
653 654 655
}

static int
656
SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
657
                               virDomainObjPtr vm,
658 659 660
                               virDomainHostdevDefPtr dev)

{
661
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
662 663
    int ret = -1;

664
    if (secdef->norelabel)
665 666
        return 0;

667 668 669 670 671
    if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
        return 0;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
672
        usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
673
                                      dev->source.subsys.u.usb.device);
674

675 676
        if (!usb)
            goto done;
677

678
        ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm);
679
        usbFreeDevice(usb);
M
Mark McLoughlin 已提交
680
        break;
681 682 683
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
684
        pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
685 686 687 688 689 690 691
                                      dev->source.subsys.u.pci.bus,
                                      dev->source.subsys.u.pci.slot,
                                      dev->source.subsys.u.pci.function);

        if (!pci)
            goto done;

692
        ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm);
693
        pciFreeDevice(pci);
694 695 696 697 698 699 700 701 702 703 704 705 706

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}

707

708
static int
709
SELinuxRestoreSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
710 711 712
                               const char *file,
                               void *opaque ATTRIBUTE_UNUSED)
{
713
    return SELinuxRestoreSecurityFileLabel(file);
714 715 716
}

static int
717
SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
718 719 720
                               const char *file,
                               void *opaque ATTRIBUTE_UNUSED)
{
721
    return SELinuxRestoreSecurityFileLabel(file);
722 723 724
}

static int
725
SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
726
                                   virDomainObjPtr vm,
727 728 729
                                   virDomainHostdevDefPtr dev)

{
730
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
731 732
    int ret = -1;

733
    if (secdef->norelabel)
734 735
        return 0;

736 737 738 739 740
    if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
        return 0;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
741
        usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
742
                                      dev->source.subsys.u.usb.device);
743 744 745 746

        if (!usb)
            goto done;

747
        ret = usbDeviceFileIterate(usb, SELinuxRestoreSecurityUSBLabel, NULL);
748
        usbFreeDevice(usb);
749 750 751 752 753

        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
754
        pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
755 756 757 758 759 760 761
                                      dev->source.subsys.u.pci.bus,
                                      dev->source.subsys.u.pci.slot,
                                      dev->source.subsys.u.pci.function);

        if (!pci)
            goto done;

762
        ret = pciDeviceFileIterate(pci, SELinuxRestoreSecurityPCILabel, NULL);
763
        pciFreeDevice(pci);
764 765 766 767 768 769 770 771 772 773 774 775 776

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}

777 778 779

static int
SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
780
                               virDomainChrSourceDefPtr dev)
781 782 783 784 785 786

{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    char *in = NULL, *out = NULL;
    int ret = -1;

787
    if (secdef->norelabel)
788 789 790 791 792 793 794 795 796
        return 0;

    switch (dev->type) {
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
        ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
        break;

    case VIR_DOMAIN_CHR_TYPE_PIPE:
797 798 799 800 801 802 803 804 805 806 807 808
        if (virFileExists(dev->data.file.path)) {
            if (SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel) < 0)
                goto done;
        } else {
            if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
                (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
                virReportOOMError();
                goto done;
            }
            if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
                (SELinuxSetFilecon(out, secdef->imagelabel) < 0))
                goto done;
809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825
        }
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}

static int
SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
826
                                   virDomainChrSourceDefPtr dev)
827 828 829 830 831 832

{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    char *in = NULL, *out = NULL;
    int ret = -1;

833
    if (secdef->norelabel)
834 835 836 837 838
        return 0;

    switch (dev->type) {
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
839 840 841
        if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
            goto done;
        ret = 0;
842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873
        break;
    case VIR_DOMAIN_CHR_TYPE_PIPE:
        if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
            (virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
            virReportOOMError();
            goto done;
        }
        if ((SELinuxRestoreSecurityFileLabel(out) < 0) ||
            (SELinuxRestoreSecurityFileLabel(in) < 0))
            goto done;
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}


static int
SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                      virDomainChrDefPtr dev,
                                      void *opaque)
{
    virDomainObjPtr vm = opaque;

874
    return SELinuxRestoreSecurityChardevLabel(vm, &dev->source);
875 876 877
}


E
Eric Blake 已提交
878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909
static int
SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                        virDomainSmartcardDefPtr dev,
                                        void *opaque)
{
    virDomainObjPtr vm = opaque;
    const char *database;

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
        return SELinuxRestoreSecurityFileLabel(database);

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
        return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);

    default:
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("unknown smartcard type %d"),
                               dev->type);
        return -1;
    }

    return 0;
}


910
static int
911
SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
912
                               virDomainObjPtr vm,
913
                               int migrated ATTRIBUTE_UNUSED)
914 915 916 917
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    int i;
    int rc = 0;
918 919 920

    VIR_DEBUG("Restoring security label on %s", vm->def->name);

921
    if (secdef->norelabel)
922 923 924
        return 0;

    for (i = 0 ; i < vm->def->nhostdevs ; i++) {
925
        if (SELinuxRestoreSecurityHostdevLabel(mgr,
926 927
                                               vm,
                                               vm->def->hostdevs[i]) < 0)
928
            rc = -1;
929
    }
930
    for (i = 0 ; i < vm->def->ndisks ; i++) {
931
        if (SELinuxRestoreSecurityImageLabelInt(mgr,
932
                                                vm,
933 934
                                                vm->def->disks[i],
                                                migrated) < 0)
935 936
            rc = -1;
    }
937

938 939 940 941 942 943
    if (virDomainChrDefForeach(vm->def,
                               false,
                               SELinuxRestoreSecurityChardevCallback,
                               vm) < 0)
        rc = -1;

E
Eric Blake 已提交
944 945 946 947 948 949
    if (virDomainSmartcardDefForeach(vm->def,
                                     false,
                                     SELinuxRestoreSecuritySmartcardCallback,
                                     vm) < 0)
        rc = -1;

950 951 952 953 954 955 956 957
    if (vm->def->os.kernel &&
        SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
        rc = -1;

    if (vm->def->os.initrd &&
        SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
        rc = -1;

958 959 960 961
    return rc;
}

static int
962
SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
963
                            virDomainObjPtr vm)
964 965 966
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

967 968 969 970 971 972 973 974 975 976 977
    if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
        if (secdef->label != NULL) {
            context_t con = context_new(secdef->label);
            if (con) {
                mcsRemove(context_range_get(con));
                context_free(con);
            }
        }
        VIR_FREE(secdef->label);
        if (!secdef->baselabel)
            VIR_FREE(secdef->model);
978 979 980
    }
    VIR_FREE(secdef->imagelabel);

981
    return 0;
982 983
}

984 985

static int
986
SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
987
                          virDomainObjPtr vm,
988 989 990 991
                          const char *savefile)
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

992
    if (secdef->norelabel)
993 994
        return 0;

995
    return SELinuxSetFilecon(savefile, secdef->imagelabel);
996 997 998 999
}


static int
1000
SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1001
                              virDomainObjPtr vm,
1002 1003
                              const char *savefile)
{
1004 1005
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

1006
    if (secdef->norelabel)
1007 1008
        return 0;

1009
    return SELinuxRestoreSecurityFileLabel(savefile);
1010 1011 1012
}


1013
static int
1014 1015
SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                      virDomainDefPtr def)
1016 1017
{
    const virSecurityLabelDefPtr secdef = &def->seclabel;
1018 1019 1020 1021 1022 1023 1024 1025 1026
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
                               secdef->model, virSecurityManagerGetModel(mgr));
        return -1;
    }

1027 1028
    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
        if (security_check_context(secdef->label) != 0) {
1029
            virSecurityReportError(VIR_ERR_XML_ERROR,
1030 1031 1032 1033 1034 1035 1036
                                   _("Invalid security label %s"), secdef->label);
            return -1;
        }
    }
    return 0;
}

1037
static int
1038
SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
1039
                               virDomainObjPtr vm)
1040 1041 1042 1043
{
    /* TODO: verify DOI */
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

1044 1045 1046
    if (vm->def->seclabel.label == NULL)
        return 0;

1047
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1048
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
1049 1050 1051
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
1052
                               secdef->model, virSecurityManagerGetModel(mgr));
1053
        if (security_getenforce() == 1)
1054
            return -1;
1055 1056 1057
    }

    if (setexeccon(secdef->label) == -1) {
1058
        virReportSystemError(errno,
1059 1060
                             _("unable to set security context '%s'"),
                             secdef->label);
1061
        if (security_getenforce() == 1)
1062
            return -1;
1063 1064
    }

1065 1066 1067
    return 0;
}

1068
static int
1069 1070
SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
                                    virDomainObjPtr vm)
1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081
{
    /* TODO: verify DOI */
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    context_t execcon = NULL;
    context_t proccon = NULL;
    security_context_t scon = NULL;
    int rc = -1;

    if (vm->def->seclabel.label == NULL)
        return 0;

1082
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1083 1084 1085 1086
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
1087
                               secdef->model, virSecurityManagerGetModel(mgr));
1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139
        goto done;
    }

    if ( !(execcon = context_new(secdef->label)) ) {
        virReportSystemError(errno,
                             _("unable to allocate socket security context '%s'"),
                             secdef->label);
        goto done;
    }

    if (getcon(&scon) == -1) {
        virReportSystemError(errno,
                             _("unable to get current process context '%s'"),
                             secdef->label);
        goto done;
    }

    if ( !(proccon = context_new(scon)) ) {
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             secdef->label);
        goto done;
    }

    if (context_range_set(proccon, context_range_get(execcon)) == -1) {
        virReportSystemError(errno,
                             _("unable to set socket security context range '%s'"),
                             secdef->label);
        goto done;
    }

    VIR_DEBUG("Setting VM %s socket context %s",
              vm->def->name, context_str(proccon));
    if (setsockcreatecon(context_str(proccon)) == -1) {
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             context_str(proccon));
        goto done;
    }

    rc = 0;
done:

    if (security_getenforce() != 1)
        rc = 0;
    if (execcon) context_free(execcon);
    if (proccon) context_free(proccon);
    freecon(scon);
    return rc;
}

static int
1140
SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
1141 1142 1143 1144 1145 1146 1147 1148
                                virDomainObjPtr vm)
{
    /* TODO: verify DOI */
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

    if (vm->def->seclabel.label == NULL)
        return 0;

1149
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1150 1151 1152 1153
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
1154
                               secdef->model, virSecurityManagerGetModel(mgr));
1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168
        if (security_getenforce() == 1)
            return -1;
    }

    if (setsockcreatecon(NULL) == -1) {
        virReportSystemError(errno,
                             _("unable to clear socket security context '%s'"),
                             secdef->label);
        if (security_getenforce() == 1)
            return -1;
    }
    return 0;
}

1169 1170 1171 1172 1173 1174 1175 1176

static int
SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                  virDomainChrDefPtr dev,
                                  void *opaque)
{
    virDomainObjPtr vm = opaque;

1177
    return SELinuxSetSecurityChardevLabel(vm, &dev->source);
1178 1179 1180
}


E
Eric Blake 已提交
1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212
static int
SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                    virDomainSmartcardDefPtr dev,
                                    void *opaque)
{
    virDomainObjPtr vm = opaque;
    const char *database;

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
        return SELinuxSetFilecon(database, default_content_context);

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
        return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);

    default:
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("unknown smartcard type %d"),
                               dev->type);
        return -1;
    }

    return 0;
}


1213
static int
1214
SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
1215 1216
                           virDomainObjPtr vm,
                           const char *stdin_path)
1217 1218 1219 1220
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    int i;

1221
    if (secdef->norelabel)
1222 1223 1224 1225 1226 1227 1228 1229
        return 0;

    for (i = 0 ; i < vm->def->ndisks ; i++) {
        /* XXX fixme - we need to recursively label the entire tree :-( */
        if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
            VIR_WARN("Unable to relabel directory tree %s for disk %s",
                     vm->def->disks[i]->src, vm->def->disks[i]->dst);
            continue;
1230
        }
1231
        if (SELinuxSetSecurityImageLabel(mgr,
1232
                                         vm, vm->def->disks[i]) < 0)
1233 1234
            return -1;
    }
1235 1236
    /* XXX fixme process  vm->def->fss if relabel == true */

1237
    for (i = 0 ; i < vm->def->nhostdevs ; i++) {
1238
        if (SELinuxSetSecurityHostdevLabel(mgr,
1239 1240
                                           vm,
                                           vm->def->hostdevs[i]) < 0)
1241
            return -1;
1242 1243
    }

1244 1245 1246 1247 1248 1249
    if (virDomainChrDefForeach(vm->def,
                               true,
                               SELinuxSetSecurityChardevCallback,
                               vm) < 0)
        return -1;

E
Eric Blake 已提交
1250 1251 1252 1253 1254 1255
    if (virDomainSmartcardDefForeach(vm->def,
                                     true,
                                     SELinuxSetSecuritySmartcardCallback,
                                     vm) < 0)
        return -1;

1256 1257 1258 1259 1260 1261 1262 1263
    if (vm->def->os.kernel &&
        SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
        return -1;

    if (vm->def->os.initrd &&
        SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
        return -1;

1264 1265 1266 1267 1268 1269
    if (stdin_path) {
        if (SELinuxSetFilecon(stdin_path, default_content_context) < 0 &&
            virStorageFileIsSharedFSType(stdin_path,
                                         VIR_STORAGE_FILE_SHFS_NFS) != 1)
            return -1;
    }
1270

1271 1272 1273
    return 0;
}

1274
static int
1275 1276 1277
SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                       virDomainObjPtr vm,
                       int fd)
1278 1279 1280 1281 1282 1283 1284 1285 1286
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

    if (secdef->imagelabel == NULL)
        return 0;

    return SELinuxFSetFilecon(fd, secdef->imagelabel);
}

1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299
static int
SELinuxSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                         virDomainObjPtr vm,
                         int fd)
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

    if (secdef->label == NULL)
        return 0;

    return SELinuxFSetFilecon(fd, secdef->label);
}

1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314
virSecurityDriver virSecurityDriverSELinux = {
    0,
    SECURITY_SELINUX_NAME,
    SELinuxSecurityDriverProbe,
    SELinuxSecurityDriverOpen,
    SELinuxSecurityDriverClose,

    SELinuxSecurityGetModel,
    SELinuxSecurityGetDOI,

    SELinuxSecurityVerify,

    SELinuxSetSecurityImageLabel,
    SELinuxRestoreSecurityImageLabel,

1315
    SELinuxSetSecurityDaemonSocketLabel,
1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332
    SELinuxClearSecuritySocketLabel,

    SELinuxGenSecurityLabel,
    SELinuxReserveSecurityLabel,
    SELinuxReleaseSecurityLabel,

    SELinuxGetSecurityProcessLabel,
    SELinuxSetSecurityProcessLabel,

    SELinuxSetSecurityAllLabel,
    SELinuxRestoreSecurityAllLabel,

    SELinuxSetSecurityHostdevLabel,
    SELinuxRestoreSecurityHostdevLabel,

    SELinuxSetSavedStateLabel,
    SELinuxRestoreSavedStateLabel,
1333

1334
    SELinuxSetImageFDLabel,
1335
    SELinuxSetProcessFDLabel,
1336
};