security_dac.c 32.6 KB
Newer Older
1
/*
2
 * Copyright (C) 2010-2013 Red Hat, Inc.
3 4 5 6 7 8 9 10 11 12 13 14
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
15
 * License along with this library.  If not, see
O
Osier Yang 已提交
16
 * <http://www.gnu.org/licenses/>.
17 18 19 20 21 22 23 24 25 26
 *
 * POSIX DAC security driver
 */

#include <config.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#include "security_dac.h"
27
#include "virerror.h"
28
#include "virutil.h"
29
#include "viralloc.h"
30
#include "virlog.h"
31
#include "virpci.h"
32
#include "virusb.h"
33
#include "virstoragefile.h"
34 35

#define VIR_FROM_THIS VIR_FROM_SECURITY
36
#define SECURITY_DAC_NAME "dac"
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

typedef struct _virSecurityDACData virSecurityDACData;
typedef virSecurityDACData *virSecurityDACDataPtr;

struct _virSecurityDACData {
    uid_t user;
    gid_t group;
    bool dynamicOwnership;
};

void virSecurityDACSetUser(virSecurityManagerPtr mgr,
                           uid_t user)
{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    priv->user = user;
}

void virSecurityDACSetGroup(virSecurityManagerPtr mgr,
                            gid_t group)
{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    priv->group = group;
}

void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
                                       bool dynamicOwnership)
{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    priv->dynamicOwnership = dynamicOwnership;
}

68 69 70
static
int parseIds(const char *label, uid_t *uidPtr, gid_t *gidPtr)
{
71
    int rc = -1;
72 73
    uid_t theuid;
    gid_t thegid;
74 75 76 77 78 79 80 81 82 83
    char *tmp_label = NULL;
    char *sep = NULL;
    char *owner = NULL;
    char *group = NULL;

    tmp_label = strdup(label);
    if (tmp_label == NULL) {
        virReportOOMError();
        goto cleanup;
    }
84

85 86 87 88 89 90 91 92 93 94 95 96
    /* Split label */
    sep = strchr(tmp_label, ':');
    if (sep == NULL) {
        virReportError(VIR_ERR_INVALID_ARG,
                       _("Missing separator ':' in DAC label \"%s\""),
                       label);
        goto cleanup;
    }
    *sep = '\0';
    owner = tmp_label;
    group = sep + 1;

97 98 99 100 101 102
    /* Parse owner and group, error message is defined by
     * virGetUserID or virGetGroupID.
     */
    if (virGetUserID(owner, &theuid) < 0 ||
        virGetGroupID(group, &thegid) < 0)
        goto cleanup;
103 104

    if (uidPtr)
105
        *uidPtr = theuid;
106
    if (gidPtr)
107
        *gidPtr = thegid;
108 109 110 111 112 113 114

    rc = 0;

cleanup:
    VIR_FREE(tmp_label);

    return rc;
115 116
}

117
/* returns 1 if label isn't found, 0 on success, -1 on error */
118 119 120 121 122 123 124 125
static
int virSecurityDACParseIds(virDomainDefPtr def, uid_t *uidPtr, gid_t *gidPtr)
{
    uid_t uid;
    gid_t gid;
    virSecurityLabelDefPtr seclabel;

    if (def == NULL)
126
        return 1;
127 128

    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
129
    if (seclabel == NULL || seclabel->label == NULL) {
130 131
        VIR_DEBUG("DAC seclabel for domain '%s' wasn't found", def->name);
        return 1;
132 133
    }

134
    if (parseIds(seclabel->label, &uid, &gid) < 0)
135 136 137 138 139 140 141 142 143 144 145 146 147 148
        return -1;

    if (uidPtr)
        *uidPtr = uid;
    if (gidPtr)
        *gidPtr = gid;

    return 0;
}

static
int virSecurityDACGetIds(virDomainDefPtr def, virSecurityDACDataPtr priv,
                         uid_t *uidPtr, gid_t *gidPtr)
{
149 150 151 152 153 154 155
    int ret;

    if (!def && !priv) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("Failed to determine default DAC seclabel "
                         "for an unknown object"));
        return -1;
156
    }
157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173

    if ((ret = virSecurityDACParseIds(def, uidPtr, gidPtr)) <= 0)
        return ret;

    if (!priv) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("DAC seclabel couldn't be determined "
                         "for domain '%s'"), def->name);
        return -1;
    }

    if (uidPtr)
        *uidPtr = priv->user;
    if (gidPtr)
        *gidPtr = priv->group;

    return 0;
174 175
}

176 177

/* returns 1 if label isn't found, 0 on success, -1 on error */
178 179 180 181 182 183 184 185 186
static
int virSecurityDACParseImageIds(virDomainDefPtr def,
                                uid_t *uidPtr, gid_t *gidPtr)
{
    uid_t uid;
    gid_t gid;
    virSecurityLabelDefPtr seclabel;

    if (def == NULL)
187
        return 1;
188 189

    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
190
    if (seclabel == NULL || seclabel->imagelabel == NULL) {
191 192
        VIR_DEBUG("DAC imagelabel for domain '%s' wasn't found", def->name);
        return 1;
193 194
    }

195
    if (parseIds(seclabel->imagelabel, &uid, &gid) < 0)
196 197 198 199 200 201 202 203 204 205 206 207 208 209
        return -1;

    if (uidPtr)
        *uidPtr = uid;
    if (gidPtr)
        *gidPtr = gid;

    return 0;
}

static
int virSecurityDACGetImageIds(virDomainDefPtr def, virSecurityDACDataPtr priv,
                         uid_t *uidPtr, gid_t *gidPtr)
{
210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226
    int ret;

    if (!def && !priv) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("Failed to determine default DAC imagelabel "
                         "for an unknown object"));
        return -1;
    }

    if ((ret = virSecurityDACParseImageIds(def, uidPtr, gidPtr)) <= 0)
        return ret;

    if (!priv) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("DAC imagelabel couldn't be determined "
                         "for domain '%s'"), def->name);
        return -1;
227
    }
228 229 230 231 232 233 234

    if (uidPtr)
        *uidPtr = priv->user;
    if (gidPtr)
        *gidPtr = priv->group;

    return 0;
235 236 237
}


238
static virSecurityDriverStatus
239
virSecurityDACProbe(const char *virtDriver ATTRIBUTE_UNUSED)
240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258
{
    return SECURITY_DRIVER_ENABLE;
}

static int
virSecurityDACOpen(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return 0;
}

static int
virSecurityDACClose(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return 0;
}


static const char * virSecurityDACGetModel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
259
    return SECURITY_DAC_NAME;
260 261 262 263 264 265 266 267
}

static const char * virSecurityDACGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return "0";
}

static int
268
virSecurityDACSetOwnership(const char *path, uid_t uid, gid_t gid)
269
{
270 271
    VIR_INFO("Setting DAC user and group on '%s' to '%ld:%ld'",
             path, (long) uid, (long) gid);
272 273 274 275 276 277 278 279 280 281 282 283 284

    if (chown(path, uid, gid) < 0) {
        struct stat sb;
        int chown_errno = errno;

        if (stat(path, &sb) >= 0) {
            if (sb.st_uid == uid &&
                sb.st_gid == gid) {
                /* It's alright, there's nothing to change anyway. */
                return 0;
            }
        }

285
        if (chown_errno == EOPNOTSUPP || chown_errno == EINVAL) {
286 287 288
            VIR_INFO("Setting user and group to '%ld:%ld' on '%s' not "
                     "supported by filesystem",
                     (long) uid, (long) gid, path);
289
        } else if (chown_errno == EPERM) {
290 291 292
            VIR_INFO("Setting user and group to '%ld:%ld' on '%s' not "
                     "permitted",
                     (long) uid, (long) gid, path);
293
        } else if (chown_errno == EROFS) {
294 295 296
            VIR_INFO("Setting user and group to '%ld:%ld' on '%s' not "
                     "possible on readonly filesystem",
                     (long) uid, (long) gid, path);
297 298
        } else {
            virReportSystemError(chown_errno,
299 300 301
                                 _("unable to set user and group to '%ld:%ld' "
                                   "on '%s'"),
                                 (long) uid, (long) gid, path);
302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340
            return -1;
        }
    }
    return 0;
}

static int
virSecurityDACRestoreSecurityFileLabel(const char *path)
{
    struct stat buf;
    int rc = -1;
    char *newpath = NULL;

    VIR_INFO("Restoring DAC user and group on '%s'", path);

    if (virFileResolveLink(path, &newpath) < 0) {
        virReportSystemError(errno,
                             _("cannot resolve symlink %s"), path);
        goto err;
    }

    if (stat(newpath, &buf) != 0)
        goto err;

    /* XXX record previous ownership */
    rc = virSecurityDACSetOwnership(newpath, 0, 0);

err:
    VIR_FREE(newpath);
    return rc;
}


static int
virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
                                   const char *path,
                                   size_t depth ATTRIBUTE_UNUSED,
                                   void *opaque)
{
341 342 343
    void **params = opaque;
    virSecurityManagerPtr mgr = params[0];
    virDomainDefPtr def = params[1];
344
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
345 346 347 348 349
    uid_t user;
    gid_t group;

    if (virSecurityDACGetImageIds(def, priv, &user, &group))
        return -1;
350

351
    return virSecurityDACSetOwnership(path, user, group);
352 353 354 355 356
}


static int
virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
357
                                    virDomainDefPtr def ATTRIBUTE_UNUSED,
358 359 360
                                    virDomainDiskDefPtr disk)

{
361
    void *params[2];
362 363 364 365 366
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);

    if (!priv->dynamicOwnership)
        return 0;

367 368 369
    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
        return 0;

370 371
    params[0] = mgr;
    params[1] = def;
372 373 374
    return virDomainDiskDefForeachPath(disk,
                                       false,
                                       virSecurityDACSetSecurityFileLabel,
375
                                       params);
376 377 378 379 380
}


static int
virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
381
                                           virDomainDefPtr def ATTRIBUTE_UNUSED,
382 383 384 385 386 387 388 389
                                           virDomainDiskDefPtr disk,
                                           int migrated)
{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);

    if (!priv->dynamicOwnership)
        return 0;

390 391 392
    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
        return 0;

393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428
    /* Don't restore labels on readoly/shared disks, because
     * other VMs may still be accessing these
     * Alternatively we could iterate over all running
     * domains and try to figure out if it is in use, but
     * this would not work for clustered filesystems, since
     * we can't see running VMs using the file on other nodes
     * Safest bet is thus to skip the restore step.
     */
    if (disk->readonly || disk->shared)
        return 0;

    if (!disk->src)
        return 0;

    /* If we have a shared FS & doing migrated, we must not
     * change ownership, because that kills access on the
     * destination host which is sub-optimal for the guest
     * VM's I/O attempts :-)
     */
    if (migrated) {
        int rc = virStorageFileIsSharedFS(disk->src);
        if (rc < 0)
            return -1;
        if (rc == 1) {
            VIR_DEBUG("Skipping image label restore on %s because FS is shared",
                      disk->src);
            return 0;
        }
    }

    return virSecurityDACRestoreSecurityFileLabel(disk->src);
}


static int
virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
429
                                        virDomainDefPtr def,
430 431
                                        virDomainDiskDefPtr disk)
{
432
    return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0);
433 434 435 436
}


static int
437
virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
438 439 440
                                  const char *file,
                                  void *opaque)
{
441 442 443
    void **params = opaque;
    virSecurityManagerPtr mgr = params[0];
    virDomainDefPtr def = params[1];
444
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
445 446
    uid_t user;
    gid_t group;
447

448 449 450 451
    if (virSecurityDACGetIds(def, priv, &user, &group))
        return -1;

    return virSecurityDACSetOwnership(file, user, group);
452 453 454 455
}


static int
456
virSecurityDACSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
457 458 459
                                  const char *file,
                                  void *opaque)
{
460 461 462
    void **params = opaque;
    virSecurityManagerPtr mgr = params[0];
    virDomainDefPtr def = params[1];
463
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
464 465
    uid_t user;
    gid_t group;
466

467 468 469 470
    if (virSecurityDACGetIds(def, priv, &user, &group))
        return -1;

    return virSecurityDACSetOwnership(file, user, group);
471 472 473 474 475
}


static int
virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
476
                                      virDomainDefPtr def,
477 478
                                      virDomainHostdevDefPtr dev,
                                      const char *vroot)
479
{
480
    void *params[] = {mgr, def};
481 482 483 484 485 486 487 488 489 490 491
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int ret = -1;

    if (!priv->dynamicOwnership)
        return 0;

    if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
        return 0;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
492
        virUSBDevicePtr usb;
493

494 495 496
        if (dev->missing)
            return 0;

497 498 499
        usb = virUSBDeviceNew(dev->source.subsys.u.usb.bus,
                              dev->source.subsys.u.usb.device,
                              vroot);
500 501 502
        if (!usb)
            goto done;

503 504 505
        ret = virUSBDeviceFileIterate(usb, virSecurityDACSetSecurityUSBLabel,
                                      params);
        virUSBDeviceFree(usb);
506 507 508 509
        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
510 511 512 513 514
        virPCIDevicePtr pci =
            virPCIDeviceNew(dev->source.subsys.u.pci.domain,
                            dev->source.subsys.u.pci.bus,
                            dev->source.subsys.u.pci.slot,
                            dev->source.subsys.u.pci.function);
515 516 517 518

        if (!pci)
            goto done;

519 520 521
        ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
                                      params);
        virPCIDeviceFree(pci);
522 523 524 525 526 527 528 529 530 531 532 533 534 535 536

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}


static int
537
virSecurityDACRestoreSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
538 539 540 541 542 543 544 545
                                      const char *file,
                                      void *opaque ATTRIBUTE_UNUSED)
{
    return virSecurityDACRestoreSecurityFileLabel(file);
}


static int
546 547 548
virSecurityDACRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
                                      const char *file,
                                      void *opaque ATTRIBUTE_UNUSED)
549 550 551 552 553 554 555
{
    return virSecurityDACRestoreSecurityFileLabel(file);
}


static int
virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
556 557 558
                                          virDomainDefPtr def ATTRIBUTE_UNUSED,
                                          virDomainHostdevDefPtr dev,
                                          const char *vroot)
559 560 561 562 563 564 565 566 567 568 569 570 571

{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int ret = -1;

    if (!priv->dynamicOwnership)
        return 0;

    if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
        return 0;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
572
        virUSBDevicePtr usb;
573 574 575

        if (dev->missing)
            return 0;
576

577 578 579
        usb = virUSBDeviceNew(dev->source.subsys.u.usb.bus,
                              dev->source.subsys.u.usb.device,
                              vroot);
580 581 582
        if (!usb)
            goto done;

583 584
        ret = virUSBDeviceFileIterate(usb, virSecurityDACRestoreSecurityUSBLabel, mgr);
        virUSBDeviceFree(usb);
585 586 587 588 589

        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
590 591 592 593 594
        virPCIDevicePtr pci =
            virPCIDeviceNew(dev->source.subsys.u.pci.domain,
                            dev->source.subsys.u.pci.bus,
                            dev->source.subsys.u.pci.slot,
                            dev->source.subsys.u.pci.function);
595 596 597 598

        if (!pci)
            goto done;

599 600
        ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
        virPCIDeviceFree(pci);
601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}


static int
virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
617
                              virDomainDefPtr def,
618
                              virDomainChrSourceDefPtr dev)
619 620 621 622 623

{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    char *in = NULL, *out = NULL;
    int ret = -1;
624 625 626 627 628
    uid_t user;
    gid_t group;

    if (virSecurityDACGetIds(def, priv, &user, &group))
        return -1;
629 630 631 632

    switch (dev->type) {
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
633
        ret = virSecurityDACSetOwnership(dev->data.file.path, user, group);
634 635 636
        break;

    case VIR_DOMAIN_CHR_TYPE_PIPE:
637 638 639 640 641 642
        if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
            (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
            virReportOOMError();
            goto done;
        }
        if (virFileExists(in) && virFileExists(out)) {
643 644
            if ((virSecurityDACSetOwnership(in, user, group) < 0) ||
                (virSecurityDACSetOwnership(out, user, group) < 0)) {
645
                goto done;
646 647
            }
        } else if (virSecurityDACSetOwnership(dev->data.file.path,
648
                                              user, group) < 0) {
649
            goto done;
650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666
        }
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}

static int
virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
667
                                  virDomainChrSourceDefPtr dev)
668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683
{
    char *in = NULL, *out = NULL;
    int ret = -1;

    switch (dev->type) {
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
        ret = virSecurityDACRestoreSecurityFileLabel(dev->data.file.path);
        break;

    case VIR_DOMAIN_CHR_TYPE_PIPE:
        if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
            (virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
            virReportOOMError();
            goto done;
        }
684 685 686
        if (virFileExists(in) && virFileExists(out)) {
            if ((virSecurityDACRestoreSecurityFileLabel(out) < 0) ||
                (virSecurityDACRestoreSecurityFileLabel(in) < 0)) {
687
            goto done;
688 689 690 691
            }
        } else if (virSecurityDACRestoreSecurityFileLabel(dev->data.file.path) < 0) {
            goto done;
        }
692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}


static int
virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                     virDomainChrDefPtr dev,
                                     void *opaque)
{
    virSecurityManagerPtr mgr = opaque;

714
    return virSecurityDACRestoreChardevLabel(mgr, &dev->source);
715 716 717
}


718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757
static int
virSecurityDACSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
                                      virDomainDefPtr def,
                                      virDomainTPMDefPtr tpm)
{
    int ret = 0;

    switch (tpm->type) {
    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
        ret = virSecurityDACSetChardevLabel(mgr, def,
                                            &tpm->data.passthrough.source);
        break;
    case VIR_DOMAIN_TPM_TYPE_LAST:
        break;
    }

    return ret;
}


static int
virSecurityDACRestoreSecurityTPMFileLabel(
                                   virSecurityManagerPtr mgr,
                                   virDomainTPMDefPtr tpm)
{
    int ret = 0;

    switch (tpm->type) {
    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
        ret = virSecurityDACRestoreChardevLabel(mgr,
                                          &tpm->data.passthrough.source);
        break;
    case VIR_DOMAIN_TPM_TYPE_LAST:
        break;
    }

    return ret;
}


758 759
static int
virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
760
                                      virDomainDefPtr def,
761 762 763 764 765 766 767 768 769 770 771
                                      int migrated)
{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int i;
    int rc = 0;

    if (!priv->dynamicOwnership)
        return 0;


    VIR_DEBUG("Restoring security label on %s migrated=%d",
772
              def->name, migrated);
773

774
    for (i = 0 ; i < def->nhostdevs ; i++) {
775
        if (virSecurityDACRestoreSecurityHostdevLabel(mgr,
776
                                                      def,
777 778
                                                      def->hostdevs[i],
                                                      NULL) < 0)
779 780
            rc = -1;
    }
781
    for (i = 0 ; i < def->ndisks ; i++) {
782
        if (virSecurityDACRestoreSecurityImageLabelInt(mgr,
783 784
                                                       def,
                                                       def->disks[i],
785 786 787 788
                                                       migrated) < 0)
            rc = -1;
    }

789
    if (virDomainChrDefForeach(def,
790 791
                               false,
                               virSecurityDACRestoreChardevCallback,
792
                               mgr) < 0)
793 794
        rc = -1;

795 796 797 798 799 800
    if (def->tpm) {
        if (virSecurityDACRestoreSecurityTPMFileLabel(mgr,
                                                      def->tpm) < 0)
            rc = -1;
    }

801 802
    if (def->os.kernel &&
        virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0)
803 804
        rc = -1;

805 806
    if (def->os.initrd &&
        virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0)
807 808
        rc = -1;

O
Olivia Yin 已提交
809 810 811 812
    if (def->os.dtb &&
        virSecurityDACRestoreSecurityFileLabel(def->os.dtb) < 0)
        rc = -1;

813 814 815 816 817 818 819 820 821 822 823
    return rc;
}


static int
virSecurityDACSetChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                 virDomainChrDefPtr dev,
                                 void *opaque)
{
    virSecurityManagerPtr mgr = opaque;

824
    return virSecurityDACSetChardevLabel(mgr, def, &dev->source);
825 826 827 828 829
}


static int
virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
830
                                  virDomainDefPtr def,
831 832 833 834
                                  const char *stdin_path ATTRIBUTE_UNUSED)
{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int i;
835 836
    uid_t user;
    gid_t group;
837 838 839 840

    if (!priv->dynamicOwnership)
        return 0;

841
    for (i = 0 ; i < def->ndisks ; i++) {
842
        /* XXX fixme - we need to recursively label the entire tree :-( */
843
        if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
844 845
            continue;
        if (virSecurityDACSetSecurityImageLabel(mgr,
846 847
                                                def,
                                                def->disks[i]) < 0)
848 849
            return -1;
    }
850
    for (i = 0 ; i < def->nhostdevs ; i++) {
851
        if (virSecurityDACSetSecurityHostdevLabel(mgr,
852
                                                  def,
853 854
                                                  def->hostdevs[i],
                                                  NULL) < 0)
855 856 857
            return -1;
    }

858
    if (virDomainChrDefForeach(def,
859 860
                               true,
                               virSecurityDACSetChardevCallback,
861
                               mgr) < 0)
862 863
        return -1;

864 865 866 867 868 869 870
    if (def->tpm) {
        if (virSecurityDACSetSecurityTPMFileLabel(mgr,
                                                  def,
                                                  def->tpm) < 0)
            return -1;
    }

871 872 873
    if (virSecurityDACGetImageIds(def, priv, &user, &group))
        return -1;

874
    if (def->os.kernel &&
875
        virSecurityDACSetOwnership(def->os.kernel, user, group) < 0)
876 877
        return -1;

878
    if (def->os.initrd &&
879
        virSecurityDACSetOwnership(def->os.initrd, user, group) < 0)
880 881
        return -1;

O
Olivia Yin 已提交
882 883 884 885
    if (def->os.dtb &&
        virSecurityDACSetOwnership(def->os.dtb, user, group) < 0)
        return -1;

886 887 888 889 890 891
    return 0;
}


static int
virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr,
892
                                 virDomainDefPtr def,
893 894
                                 const char *savefile)
{
895 896
    uid_t user;
    gid_t group;
897 898
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);

899 900 901 902
    if (virSecurityDACGetImageIds(def, priv, &user, &group))
        return -1;

    return virSecurityDACSetOwnership(savefile, user, group);
903 904 905 906 907
}


static int
virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr,
908
                                     virDomainDefPtr def ATTRIBUTE_UNUSED,
909 910 911 912 913 914 915 916 917 918 919 920 921
                                     const char *savefile)
{
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);

    if (!priv->dynamicOwnership)
        return 0;

    return virSecurityDACRestoreSecurityFileLabel(savefile);
}


static int
virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr,
922
                              virDomainDefPtr def ATTRIBUTE_UNUSED)
923
{
924 925
    uid_t user;
    gid_t group;
926 927
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);

928 929 930
    if (virSecurityDACGetIds(def, priv, &user, &group))
        return -1;

931 932
    VIR_DEBUG("Dropping privileges of DEF to %u:%u",
              (unsigned int) user, (unsigned int) group);
933

934
    if (virSetUIDGID(user, group) < 0)
935 936 937 938 939 940
        return -1;

    return 0;
}


941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961
static int
virSecurityDACSetChildProcessLabel(virSecurityManagerPtr mgr,
                                   virDomainDefPtr def ATTRIBUTE_UNUSED,
                                   virCommandPtr cmd)
{
    uid_t user;
    gid_t group;
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);

    if (virSecurityDACGetIds(def, priv, &user, &group))
        return -1;

    VIR_DEBUG("Setting child to drop privileges of DEF to %u:%u",
              (unsigned int) user, (unsigned int) group);

    virCommandSetUID(cmd, user);
    virCommandSetGID(cmd, group);
    return 0;
}


962 963 964 965 966 967 968 969
static int
virSecurityDACVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                     virDomainDefPtr def ATTRIBUTE_UNUSED)
{
    return 0;
}

static int
970 971
virSecurityDACGenLabel(virSecurityManagerPtr mgr,
                       virDomainDefPtr def)
972
{
973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997
    int rc = -1;
    virSecurityLabelDefPtr seclabel;
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);

    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
    if (seclabel == NULL) {
        return rc;
    }

    if (seclabel->imagelabel) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("security image label already "
                         "defined for VM"));
        return rc;
    }

    if (seclabel->model
        && STRNEQ(seclabel->model, SECURITY_DAC_NAME)) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label model %s is not supported "
                         "with selinux"),
                       seclabel->model);
            return rc;
    }

998
    switch (seclabel->type) {
999 1000 1001 1002 1003 1004 1005 1006 1007
    case VIR_DOMAIN_SECLABEL_STATIC:
        if (seclabel->label == NULL) {
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("missing label for static security "
                             "driver in domain %s"), def->name);
            return rc;
        }
        break;
    case VIR_DOMAIN_SECLABEL_DYNAMIC:
E
Eric Blake 已提交
1008
        if (virAsprintf(&seclabel->label, "%u:%u",
1009 1010
                        (unsigned int) priv->user,
                        (unsigned int) priv->group) < 0) {
1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022
            virReportOOMError();
            return rc;
        }
        if (seclabel->label == NULL) {
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("cannot generate dac user and group id "
                             "for domain %s"), def->name);
            return rc;
        }
        break;
    case VIR_DOMAIN_SECLABEL_NONE:
        /* no op */
1023
        return 0;
1024 1025 1026 1027 1028 1029 1030 1031
    default:
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unexpected security label type '%s'"),
                       virDomainSeclabelTypeToString(seclabel->type));
        return rc;
    }

    if (!seclabel->norelabel) {
1032
        if (seclabel->imagelabel == NULL && seclabel->label != NULL) {
1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044
            seclabel->imagelabel = strdup(seclabel->label);
            if (seclabel->imagelabel == NULL) {
                virReportError(VIR_ERR_INTERNAL_ERROR,
                               _("cannot generate dac user and group id "
                                 "for domain %s"), def->name);
                VIR_FREE(seclabel->label);
                seclabel->label = NULL;
                return rc;
            }
        }
    }

1045 1046 1047 1048 1049
    return 0;
}

static int
virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1050
                           virDomainDefPtr def ATTRIBUTE_UNUSED)
1051 1052 1053 1054 1055 1056
{
    return 0;
}

static int
virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1057 1058
                           virDomainDefPtr def ATTRIBUTE_UNUSED,
                           pid_t pid ATTRIBUTE_UNUSED)
1059 1060 1061 1062 1063 1064
{
    return 0;
}

static int
virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1065 1066
                              virDomainDefPtr def ATTRIBUTE_UNUSED,
                              pid_t pid ATTRIBUTE_UNUSED,
1067 1068
                              virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED)
{
1069 1070 1071 1072 1073 1074 1075
    virSecurityLabelDefPtr secdef =
        virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);

    if (!secdef || !seclabel)
        return -1;

    if (secdef->label)
1076 1077
        ignore_value(virStrcpy(seclabel->label, secdef->label,
                               VIR_SECURITY_LABEL_BUFLEN));
1078

1079 1080 1081 1082
    return 0;
}

static int
1083
virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1084
                                   virDomainDefPtr vm ATTRIBUTE_UNUSED)
1085 1086 1087 1088 1089
{
    return 0;
}


1090 1091
static int
virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1092
                             virDomainDefPtr def ATTRIBUTE_UNUSED)
1093 1094 1095 1096 1097
{
    return 0;
}


1098 1099
static int
virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1100
                               virDomainDefPtr def ATTRIBUTE_UNUSED)
1101 1102 1103 1104
{
    return 0;
}

1105
static int
1106
virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1107
                              virDomainDefPtr def ATTRIBUTE_UNUSED,
1108
                              int fd ATTRIBUTE_UNUSED)
1109 1110 1111 1112
{
    return 0;
}

1113 1114 1115 1116 1117 1118 1119 1120
static int
virSecurityDACSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                            virDomainDefPtr def ATTRIBUTE_UNUSED,
                            int fd ATTRIBUTE_UNUSED)
{
    return 0;
}

1121 1122 1123 1124 1125
static char *virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                           virDomainDefPtr vm ATTRIBUTE_UNUSED) {
    return NULL;
}

1126
virSecurityDriver virSecurityDriverDAC = {
1127
    .privateDataLen                     = sizeof(virSecurityDACData),
1128
    .name                               = SECURITY_DAC_NAME,
1129 1130 1131
    .probe                              = virSecurityDACProbe,
    .open                               = virSecurityDACOpen,
    .close                              = virSecurityDACClose,
1132

1133 1134
    .getModel                           = virSecurityDACGetModel,
    .getDOI                             = virSecurityDACGetDOI,
1135

1136
    .domainSecurityVerify               = virSecurityDACVerify,
1137

1138 1139
    .domainSetSecurityImageLabel        = virSecurityDACSetSecurityImageLabel,
    .domainRestoreSecurityImageLabel    = virSecurityDACRestoreSecurityImageLabel,
1140

1141 1142 1143
    .domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
    .domainSetSecuritySocketLabel       = virSecurityDACSetSocketLabel,
    .domainClearSecuritySocketLabel     = virSecurityDACClearSocketLabel,
1144

1145 1146 1147
    .domainGenSecurityLabel             = virSecurityDACGenLabel,
    .domainReserveSecurityLabel         = virSecurityDACReserveLabel,
    .domainReleaseSecurityLabel         = virSecurityDACReleaseLabel,
1148

1149 1150
    .domainGetSecurityProcessLabel      = virSecurityDACGetProcessLabel,
    .domainSetSecurityProcessLabel      = virSecurityDACSetProcessLabel,
1151
    .domainSetSecurityChildProcessLabel = virSecurityDACSetChildProcessLabel,
1152

1153 1154
    .domainSetSecurityAllLabel          = virSecurityDACSetSecurityAllLabel,
    .domainRestoreSecurityAllLabel      = virSecurityDACRestoreSecurityAllLabel,
1155

1156 1157
    .domainSetSecurityHostdevLabel      = virSecurityDACSetSecurityHostdevLabel,
    .domainRestoreSecurityHostdevLabel  = virSecurityDACRestoreSecurityHostdevLabel,
1158

1159 1160
    .domainSetSavedStateLabel           = virSecurityDACSetSavedStateLabel,
    .domainRestoreSavedStateLabel       = virSecurityDACRestoreSavedStateLabel,
1161

1162
    .domainSetSecurityImageFDLabel      = virSecurityDACSetImageFDLabel,
1163
    .domainSetSecurityTapFDLabel        = virSecurityDACSetTapFDLabel,
1164

1165
    .domainGetSecurityMountOptions      = virSecurityDACGetMountOptions,
1166
};