security_selinux.c 66.8 KB
Newer Older
1
/*
2
 * Copyright (C) 2008-2012 Red Hat, Inc.
3 4 5 6 7 8
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
O
Osier Yang 已提交
9 10 11 12 13 14
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
15
 * License along with this library.  If not, see
O
Osier Yang 已提交
16 17
 * <http://www.gnu.org/licenses/>.
 *
18 19
 * Authors:
 *     James Morris <jmorris@namei.org>
20
 *     Dan Walsh <dwalsh@redhat.com>
21 22 23 24 25 26 27 28 29
 *
 * SELinux security driver.
 */
#include <config.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
E
Eric Blake 已提交
30 31 32
#if HAVE_SELINUX_LABEL_H
# include <selinux/label.h>
#endif
33

34
#include "security_driver.h"
35
#include "security_selinux.h"
36
#include "virerror.h"
37
#include "virutil.h"
38
#include "viralloc.h"
39
#include "virlog.h"
40
#include "virpci.h"
41
#include "virusb.h"
42
#include "virstoragefile.h"
E
Eric Blake 已提交
43
#include "virfile.h"
44
#include "virhash.h"
45
#include "virrandom.h"
46
#include "virutil.h"
47
#include "virconf.h"
D
Daniel P. Berrange 已提交
48 49 50

#define VIR_FROM_THIS VIR_FROM_SECURITY

51 52 53 54 55 56 57 58 59 60
#define MAX_CONTEXT 1024

typedef struct _virSecuritySELinuxData virSecuritySELinuxData;
typedef virSecuritySELinuxData *virSecuritySELinuxDataPtr;

typedef struct _virSecuritySELinuxCallbackData virSecuritySELinuxCallbackData;
typedef virSecuritySELinuxCallbackData *virSecuritySELinuxCallbackDataPtr;

struct _virSecuritySELinuxData {
    char *domain_context;
61
    char *alt_domain_context;
62 63
    char *file_context;
    char *content_context;
64
    virHashTablePtr mcs;
65
    bool skipAllLabel;
66 67 68 69 70 71 72
};

struct _virSecuritySELinuxCallbackData {
    virSecurityManagerPtr manager;
    virSecurityLabelDefPtr secdef;
};

73 74 75
#define SECURITY_SELINUX_VOID_DOI       "0"
#define SECURITY_SELINUX_NAME "selinux"

76 77 78
/*
 * Returns 0 on success, 1 if already reserved, or -1 on fatal error
 */
79
static int
80 81
virSecuritySELinuxMCSAdd(virSecurityManagerPtr mgr,
                         const char *mcs)
82
{
83
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
84

85 86 87 88
    if (virHashLookup(data->mcs, mcs))
        return 1;

    if (virHashAddEntry(data->mcs, mcs, (void*)0x1) < 0)
89
        return -1;
90

91 92 93
    return 0;
}

94 95 96
static void
virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
                            const char *mcs)
97
{
98 99 100
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

    virHashRemoveEntry(data->mcs, mcs);
101 102
}

103 104 105 106 107 108 109 110

static char *
virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr)
{
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    int c1 = 0;
    int c2 = 0;
    char *mcs = NULL;
111 112 113 114 115
    security_context_t ourSecContext = NULL;
    context_t ourContext = NULL;
    char *sens, *cat, *tmp;
    int catMin, catMax, catRange;

M
Martin Kletzander 已提交
116
    if (getcon_raw(&ourSecContext) < 0) {
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204
        virReportSystemError(errno, "%s",
                             _("Unable to get current process SELinux context"));
        goto cleanup;
    }
    if (!(ourContext = context_new(ourSecContext))) {
        virReportSystemError(errno,
                             _("Unable to parse current SELinux context '%s'"),
                             ourSecContext);
        goto cleanup;
    }

    if (!(sens = strdup(context_range_get(ourContext)))) {
        virReportOOMError();
        goto cleanup;
    }

    /* Find and blank out the category part */
    if (!(tmp = strchr(sens, ':'))) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse sensitivity level in %s"),
                       sens);
        goto cleanup;
    }
    *tmp = '\0';
    cat = tmp + 1;
    /* Find and blank out the sensitivity upper bound */
    if ((tmp = strchr(sens, '-')))
        *tmp = '\0';
    /* sens now just contains the sensitivity lower bound */

    /* Find & extract category min */
    tmp = cat;
    if (tmp[0] != 'c') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
    if (virStrToLong_i(tmp, &tmp, 10, &catMin) < 0) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }

    /* We *must* have a pair of categories otherwise
     * there's no range to allocate VM categories from */
    if (!tmp[0]) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("No category range available"));
        goto cleanup;
    }

    /* Find & extract category max (if any) */
    if (tmp[0] != '.') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
    if (tmp[0] != 'c') {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }
    tmp++;
    if (virStrToLong_i(tmp, &tmp, 10, &catMax) < 0) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Cannot parse category in %s"),
                       cat);
        goto cleanup;
    }

    /* +1 since virRandomInt range is exclusive of the upper bound */
    catRange = (catMax - catMin) + 1;

    if (catRange < 8) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Category range c%d-c%d too small"),
                       catMin, catMax);
        goto cleanup;
    }

    VIR_DEBUG("Using sensitivity level '%s' cat min %d max %d range %d",
              sens, catMin, catMax, catRange);
205 206

    for (;;) {
207 208 209
        c1 = virRandomInt(catRange);
        c2 = virRandomInt(catRange);
        VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1+catMin, c2+catMin);
210 211

        if (c1 == c2) {
212
            if (virAsprintf(&mcs, "%s:c%d", sens, catMin + c1) < 0) {
213 214 215 216 217 218 219 220 221
                virReportOOMError();
                return NULL;
            }
        } else {
            if (c1 > c2) {
                int t = c1;
                c1 = c2;
                c2 = t;
            }
222
            if (virAsprintf(&mcs, "%s:c%d,c%d", sens, catMin + c1, catMin + c2) < 0) {
223 224 225 226 227 228 229 230 231 232 233 234 235
                virReportOOMError();
                return NULL;
            }
        }

        if (virHashLookup(data->mcs, mcs) == NULL)
            goto cleanup;

        VIR_FREE(mcs);
    }

cleanup:
    VIR_DEBUG("Found context '%s'", NULLSTR(mcs));
236 237 238
    VIR_FREE(sens);
    freecon(ourSecContext);
    context_free(ourContext);
239 240 241
    return mcs;
}

242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281
static char *
virSecuritySELinuxContextAddRange(security_context_t src,
                                  security_context_t dst)
{
    char *str = NULL;
    char *ret = NULL;
    context_t srccon = NULL;
    context_t dstcon = NULL;

    if (!src || !dst)
        return ret;

    if (!(srccon = context_new(src)) || !(dstcon = context_new(dst))) {
        virReportSystemError(errno, "%s",
                             _("unable to allocate security context"));
        goto cleanup;
    }

    if (context_range_set(dstcon, context_range_get(srccon)) == -1) {
        virReportSystemError(errno,
                             _("unable to set security context range '%s'"), dst);
        goto cleanup;
    }

    if (!(str = context_str(dstcon))) {
        virReportSystemError(errno, "%s",
                             _("Unable to format SELinux context"));
        goto cleanup;
    }

    if (!(ret = strdup(str))) {
        virReportOOMError();
        goto cleanup;
    }

cleanup:
    if (srccon) context_free(srccon);
    if (dstcon) context_free(dstcon);
    return ret;
}
282

283
static char *
284 285 286
virSecuritySELinuxGenNewContext(const char *basecontext,
                                const char *mcs,
                                bool isObjectContext)
287
{
288
    context_t context = NULL;
289 290
    char *ret = NULL;
    char *str;
291 292 293
    security_context_t ourSecContext = NULL;
    context_t ourContext = NULL;

294 295 296
    VIR_DEBUG("basecontext=%s mcs=%s isObjectContext=%d",
              basecontext, mcs, isObjectContext);

M
Martin Kletzander 已提交
297
    if (getcon_raw(&ourSecContext) < 0) {
298 299 300 301 302 303 304 305 306 307
        virReportSystemError(errno, "%s",
                             _("Unable to get current process SELinux context"));
        goto cleanup;
    }
    if (!(ourContext = context_new(ourSecContext))) {
        virReportSystemError(errno,
                             _("Unable to parse current SELinux context '%s'"),
                             ourSecContext);
        goto cleanup;
    }
308
    VIR_DEBUG("process=%s", ourSecContext);
309 310 311 312 313 314 315 316

    if (!(context = context_new(basecontext))) {
        virReportSystemError(errno,
                             _("Unable to parse base SELinux context '%s'"),
                             basecontext);
        goto cleanup;
    }

317 318 319 320 321 322 323 324
    if (context_user_set(context,
                         context_user_get(ourContext)) != 0) {
        virReportSystemError(errno,
                             _("Unable to set SELinux context user '%s'"),
                             context_user_get(ourContext));
        goto cleanup;
    }

325 326
    if (!isObjectContext &&
        context_role_set(context,
327 328
                         context_role_get(ourContext)) != 0) {
        virReportSystemError(errno,
329
                             _("Unable to set SELinux context role '%s'"),
330 331 332 333
                             context_role_get(ourContext));
        goto cleanup;
    }

334 335 336 337 338 339 340 341 342 343 344 345 346 347 348
    if (context_range_set(context, mcs) != 0) {
        virReportSystemError(errno,
                             _("Unable to set SELinux context MCS '%s'"),
                             mcs);
        goto cleanup;
    }
    if (!(str = context_str(context))) {
        virReportSystemError(errno, "%s",
                             _("Unable to format SELinux context"));
        goto cleanup;
    }
    if (!(ret = strdup(str))) {
        virReportOOMError();
        goto cleanup;
    }
349
    VIR_DEBUG("Generated context '%s'",  ret);
350
cleanup:
351 352
    freecon(ourSecContext);
    context_free(ourContext);
353 354
    context_free(context);
    return ret;
355 356
}

357

358
#ifdef HAVE_SELINUX_LXC_CONTEXTS_PATH
359
static int
360
virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
361 362 363 364 365 366 367
{
    virConfValuePtr scon = NULL;
    virConfValuePtr tcon = NULL;
    virConfValuePtr dcon = NULL;
    virConfPtr selinux_conf;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

368 369
    data->skipAllLabel = true;

370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412
    selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
    if (!selinux_conf) {
        virReportSystemError(errno,
                             _("cannot open SELinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        return -1;
    }

    scon = virConfGetValue(selinux_conf, "process");
    if (! scon || scon->type != VIR_CONF_STRING || (! scon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'process' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

    tcon = virConfGetValue(selinux_conf, "file");
    if (! tcon || tcon->type != VIR_CONF_STRING || (! tcon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

    dcon = virConfGetValue(selinux_conf, "content");
    if (! dcon || dcon->type != VIR_CONF_STRING || (! dcon->str)) {
        virReportSystemError(errno,
                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }

    data->domain_context = strdup(scon->str);
    data->file_context = strdup(tcon->str);
    data->content_context = strdup(dcon->str);
    if (!data->domain_context ||
        !data->file_context ||
        !data->content_context) {
        virReportSystemError(errno,
                             _("cannot allocate memory for LXC SELinux contexts '%s'"),
                             selinux_lxc_contexts_path());
        goto error;
    }
413 414 415 416

    if (!(data->mcs = virHashCreate(10, NULL)))
        goto error;

417 418 419 420 421 422 423 424
    virConfFree(selinux_conf);
    return 0;

error:
    virConfFree(selinux_conf);
    VIR_FREE(data->domain_context);
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);
425
    virHashFree(data->mcs);
426 427
    return -1;
}
428 429
#else
static int
430
virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
431 432 433 434 435 436
{
    virReportSystemError(ENOSYS, "%s",
                         _("libselinux does not support LXC contexts path"));
    return -1;
}
#endif
437 438 439


static int
440
virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
441
{
442 443
    char *ptr;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
444

445 446
    data->skipAllLabel = false;

447
    if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
448
        virReportSystemError(errno,
449
                             _("cannot read SELinux virtual domain context file '%s'"),
450
                             selinux_virtual_domain_context_path());
451
        goto error;
452 453
    }

454
    ptr = strchrnul(data->domain_context, '\n');
455
    if (ptr && *ptr == '\n') {
456
        *ptr = '\0';
457 458 459 460 461 462 463 464 465 466 467 468 469 470 471
        ptr++;
        if (*ptr != '\0') {
            data->alt_domain_context = strdup(ptr);
            if (!data->alt_domain_context) {
                virReportOOMError();
                goto error;
            }
            ptr = strchrnul(data->alt_domain_context, '\n');
            if (ptr && *ptr == '\n')
                *ptr = '\0';
        }
    }
    VIR_DEBUG("Loaded domain context '%s', alt domain context '%s'",
              data->domain_context, NULLSTR(data->alt_domain_context));

472

473
    if (virFileReadAll(selinux_virtual_image_context_path(), 2*MAX_CONTEXT, &(data->file_context)) < 0) {
474
        virReportSystemError(errno,
475 476
                             _("cannot read SELinux virtual image context file %s"),
                             selinux_virtual_image_context_path());
477
        goto error;
478 479
    }

480 481
    ptr = strchrnul(data->file_context, '\n');
    if (ptr && *ptr == '\n') {
482
        *ptr = '\0';
483 484 485 486 487 488 489
        data->content_context = strdup(ptr+1);
        if (!data->content_context) {
            virReportOOMError();
            goto error;
        }
        ptr = strchrnul(data->content_context, '\n');
        if (ptr && *ptr == '\n')
490 491
            *ptr = '\0';
    }
492

493 494 495
    VIR_DEBUG("Loaded file context '%s', content context '%s'",
              data->file_context, data->content_context);

496 497 498
    if (!(data->mcs = virHashCreate(10, NULL)))
        goto error;

499
    return 0;
500 501 502

error:
    VIR_FREE(data->domain_context);
503
    VIR_FREE(data->alt_domain_context);
504 505
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);
506
    virHashFree(data->mcs);
507
    return -1;
508 509
}

510 511

static int
512
virSecuritySELinuxInitialize(virSecurityManagerPtr mgr)
513 514 515
{
    VIR_DEBUG("SELinuxInitialize %s", virSecurityManagerGetDriver(mgr));
    if (STREQ(virSecurityManagerGetDriver(mgr),  "LXC")) {
516
        return virSecuritySELinuxLXCInitialize(mgr);
517
    } else {
518
        return virSecuritySELinuxQEMUInitialize(mgr);
519 520 521 522
    }
}


523
static int
524 525
virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
                                   virDomainDefPtr def)
526 527
{
    int rc = -1;
528
    char *mcs = NULL;
529
    char *scontext = NULL;
530
    context_t ctx = NULL;
531
    const char *range;
532 533
    virSecurityLabelDefPtr seclabel;
    virSecuritySELinuxDataPtr data;
534
    const char *baselabel;
535

536
    if (mgr == NULL) {
537
        virReportError(VIR_ERR_INTERNAL_ERROR,
538
                       "%s", _("invalid security driver"));
539 540 541
        return rc;
    }

542 543 544 545 546 547 548 549 550 551
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL) {
        return rc;
    }

    data = virSecurityManagerGetPrivateData(mgr);

    VIR_DEBUG("label=%s", virSecurityManagerGetDriver(mgr));
    if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
        seclabel->label) {
552 553
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       "%s", _("security label already defined for VM"));
554
        return rc;
D
Daniel P. Berrange 已提交
555
    }
556

557
    if (seclabel->imagelabel) {
558 559
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       "%s", _("security image label already defined for VM"));
560 561 562
        return rc;
    }

563 564
    if (seclabel->model &&
        STRNEQ(seclabel->model, SECURITY_SELINUX_NAME)) {
565 566
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label model %s is not supported with selinux"),
567
                       seclabel->model);
568 569 570
        return rc;
    }

571
    VIR_DEBUG("type=%d", seclabel->type);
572

573
    switch (seclabel->type) {
574
    case VIR_DOMAIN_SECLABEL_STATIC:
575
        if (!(ctx = context_new(seclabel->label))) {
576 577
            virReportSystemError(errno,
                                 _("unable to allocate socket security context '%s'"),
578
                                 seclabel->label);
579
            return rc;
580 581
        }

582
        range = context_range_get(ctx);
583 584 585 586 587
        if (!range ||
            !(mcs = strdup(range))) {
            virReportOOMError();
            goto cleanup;
        }
588 589 590
        break;

    case VIR_DOMAIN_SECLABEL_DYNAMIC:
591 592 593 594 595
        if (!(mcs = virSecuritySELinuxMCSFind(mgr)))
            goto cleanup;

        if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
            goto cleanup;
596

597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616
        baselabel = seclabel->baselabel;
        if (!baselabel) {
            if (def->virtType == VIR_DOMAIN_VIRT_QEMU) {
                if (data->alt_domain_context == NULL) {
                    static bool warned = false;
                    if (!warned) {
                        VIR_WARN("SELinux policy does not define a domain type for QEMU TCG. "
                                 "Guest startup may be denied due to missing 'execmem' privilege "
                                 "unless the 'virt_use_execmem' policy boolean is enabled");
                        warned = true;
                    }
                    baselabel = data->domain_context;
                } else {
                    baselabel = data->alt_domain_context;
                }
            } else {
                baselabel = data->domain_context;
            }
        }

617
        seclabel->label =
618
            virSecuritySELinuxGenNewContext(baselabel, mcs, false);
619
        if (!seclabel->label)  {
620 621
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("cannot generate selinux context for %s"), mcs);
622
            goto cleanup;
623
        }
624 625 626 627 628 629 630
        break;

    case VIR_DOMAIN_SECLABEL_NONE:
        /* no op */
        break;

    default:
631 632
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unexpected security label type '%s'"),
633
                       virDomainSeclabelTypeToString(seclabel->type));
634
        goto cleanup;
D
Daniel P. Berrange 已提交
635
    }
636

637
    if (!seclabel->norelabel) {
638
        seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
639 640 641
                                                               mcs,
                                                               true);
        if (!seclabel->imagelabel)  {
642 643
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("cannot generate selinux context for %s"), mcs);
644
            goto cleanup;
645
        }
646 647
    }

648 649
    if (!seclabel->model &&
        !(seclabel->model = strdup(SECURITY_SELINUX_NAME))) {
650
        virReportOOMError();
651
        goto cleanup;
D
Daniel P. Berrange 已提交
652 653
    }

654
    rc = 0;
655 656 657

cleanup:
    if (rc != 0) {
658 659 660 661 662 663
        if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
            VIR_FREE(seclabel->label);
        VIR_FREE(seclabel->imagelabel);
        if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
            !seclabel->baselabel)
            VIR_FREE(seclabel->model);
664 665 666 667
    }

    if (ctx)
        context_free(ctx);
D
Daniel P. Berrange 已提交
668
    VIR_FREE(scontext);
669 670 671
    VIR_FREE(mcs);

    VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
672 673 674 675
              NULLSTR(seclabel->model),
              NULLSTR(seclabel->label),
              NULLSTR(seclabel->imagelabel),
              NULLSTR(seclabel->baselabel));
676

677 678 679
    return rc;
}

680
static int
681
virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
682 683
                                       virDomainDefPtr def,
                                       pid_t pid)
684 685 686 687
{
    security_context_t pctx;
    context_t ctx = NULL;
    const char *mcs;
688
    int rv;
689
    virSecurityLabelDefPtr seclabel;
690

691 692 693 694 695 696
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL) {
        return -1;
    }

    if (seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
697 698
        return 0;

M
Martin Kletzander 已提交
699
    if (getpidcon_raw(pid, &pctx) == -1) {
700
        virReportSystemError(errno,
701
                             _("unable to get PID %d security context"), pid);
702 703 704 705
        return -1;
    }

    ctx = context_new(pctx);
706
    freecon(pctx);
707
    if (!ctx)
708
        goto error;
709 710 711

    mcs = context_range_get(ctx);
    if (!mcs)
712 713
        goto error;

714
    if ((rv = virSecuritySELinuxMCSAdd(mgr, mcs)) < 0)
715
        goto error;
716

717 718 719 720 721 722
    if (rv == 1) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("MCS level for existing domain label %s already reserved"),
                       (char*)pctx);
        goto error;
    }
723 724 725 726 727

    context_free(ctx);

    return 0;

728
error:
729 730 731 732 733
    context_free(ctx);
    return -1;
}


734
static int
735
virSecuritySELinuxSecurityDriverProbe(const char *virtDriver)
736
{
737 738 739
    if (!is_selinux_enabled())
        return SECURITY_DRIVER_DISABLE;

740 741 742 743 744 745
    if (virtDriver && STREQ(virtDriver, "LXC")) {
#if HAVE_SELINUX_LXC_CONTEXTS_PATH
        if (!virFileExists(selinux_lxc_contexts_path()))
#endif
            return SECURITY_DRIVER_DISABLE;
    }
746 747

    return SECURITY_DRIVER_ENABLE;
748 749
}

750

751
static int
752
virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr)
753
{
754
    return virSecuritySELinuxInitialize(mgr);
755 756
}

757

758
static int
759
virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr)
760
{
761 762 763 764 765
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

    if (!data)
        return 0;

766 767
    virHashFree(data->mcs);

768
    VIR_FREE(data->domain_context);
769
    VIR_FREE(data->alt_domain_context);
770 771 772
    VIR_FREE(data->file_context);
    VIR_FREE(data->content_context);

773 774 775 776
    return 0;
}


777 778
static const char *
virSecuritySELinuxSecurityGetModel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
779 780 781 782
{
    return SECURITY_SELINUX_NAME;
}

783 784
static const char *
virSecuritySELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
785 786 787 788 789
{
    /*
     * Where will the DOI come from?  SELinux configuration, or qemu
     * configuration? For the moment, we'll just set it to "0".
     */
790
    return SECURITY_SELINUX_VOID_DOI;
791 792 793
}

static int
794 795 796 797
virSecuritySELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                          virDomainDefPtr def ATTRIBUTE_UNUSED,
                                          pid_t pid,
                                          virSecurityLabelPtr sec)
798 799 800
{
    security_context_t ctx;

M
Martin Kletzander 已提交
801
    if (getpidcon_raw(pid, &ctx) == -1) {
802
        virReportSystemError(errno,
803
                             _("unable to get PID %d security context"),
804
                             pid);
805 806 807 808
        return -1;
    }

    if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
809 810 811 812
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label exceeds "
                         "maximum length: %d"),
                       VIR_SECURITY_LABEL_BUFLEN - 1);
813
        freecon(ctx);
814 815 816 817
        return -1;
    }

    strcpy(sec->label, (char *) ctx);
818
    freecon(ctx);
819

820
    VIR_DEBUG("label=%s", sec->label);
821 822
    sec->enforcing = security_getenforce();
    if (sec->enforcing == -1) {
823
        virReportSystemError(errno, "%s",
824
                             _("error calling security_getenforce()"));
825 826 827 828 829 830
        return -1;
    }

    return 0;
}

831 832 833
/* Attempt to change the label of PATH to TCON.  If OPTIONAL is true,
 * return 1 if labelling was not possible.  Otherwise, require a label
 * change, and return 0 for success, -1 for failure.  */
834
static int
835
virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
836
{
837
    security_context_t econ;
838

839 840
    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);

M
Martin Kletzander 已提交
841
    if (setfilecon_raw(path, tcon) < 0) {
842 843
        int setfilecon_errno = errno;

M
Martin Kletzander 已提交
844
        if (getfilecon_raw(path, &econ) >= 0) {
845 846 847
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
848
                return optional ? 1 : 0;
849 850 851
            }
            freecon(econ);
        }
852 853

        /* if the error complaint is related to an image hosted on
854 855
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
856
         * The user hopefully set one of the necessary SELinux
857
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
858
         */
859
        if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP) {
860
            virReportSystemError(setfilecon_errno,
861
                                 _("unable to set security context '%s' on '%s'"),
862
                                 tcon, path);
863 864
            if (security_getenforce() == 1)
                return -1;
865
        } else {
866 867 868 869 870 871 872 873 874 875 876 877 878 879
            const char *msg;
            if ((virStorageFileIsSharedFSType(path,
                                              VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
                security_get_boolean_active("virt_use_nfs") != 1) {
                msg = _("Setting security context '%s' on '%s' not supported. "
                        "Consider setting virt_use_nfs");
               if (security_getenforce() == 1)
                   VIR_WARN(msg, tcon, path);
               else
                   VIR_INFO(msg, tcon, path);
            } else {
                VIR_INFO("Setting security context '%s' on '%s' not supported",
                         tcon, path);
            }
880 881
            if (optional)
                return 1;
882
        }
883 884 885 886
    }
    return 0;
}

887
static int
888
virSecuritySELinuxSetFileconOptional(const char *path, char *tcon)
889
{
890
    return virSecuritySELinuxSetFileconHelper(path, tcon, true);
891 892 893
}

static int
894
virSecuritySELinuxSetFilecon(const char *path, char *tcon)
895
{
896
    return virSecuritySELinuxSetFileconHelper(path, tcon, false);
897 898
}

899
static int
900
virSecuritySELinuxFSetFilecon(int fd, char *tcon)
901 902 903 904 905
{
    security_context_t econ;

    VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);

M
Martin Kletzander 已提交
906
    if (fsetfilecon_raw(fd, tcon) < 0) {
907 908
        int fsetfilecon_errno = errno;

M
Martin Kletzander 已提交
909
        if (fgetfilecon_raw(fd, &econ) >= 0) {
910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
                return 0;
            }
            freecon(econ);
        }

        /* if the error complaint is related to an image hosted on
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
         * The user hopefully set one of the necessary SELinux
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
         */
        if (fsetfilecon_errno != EOPNOTSUPP) {
            virReportSystemError(fsetfilecon_errno,
                                 _("unable to set security context '%s' on fd %d"),
                                 tcon, fd);
            if (security_getenforce() == 1)
                return -1;
        } else {
            VIR_INFO("Setting security context '%s' on fd %d not supported",
                     tcon, fd);
        }
    }
    return 0;
}

E
Eric Blake 已提交
938 939 940 941 942 943 944 945 946 947 948
/* Set fcon to the appropriate label for path and mode, or return -1.  */
static int
getContext(const char *newpath, mode_t mode, security_context_t *fcon)
{
#if HAVE_SELINUX_LABEL_H
    struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
    int ret;

    if (handle == NULL)
        return -1;

M
Martin Kletzander 已提交
949
    ret = selabel_lookup_raw(handle, fcon, newpath, mode);
E
Eric Blake 已提交
950 951 952 953 954 955 956
    selabel_close(handle);
    return ret;
#else
    return matchpathcon(newpath, mode, fcon);
#endif
}

957 958 959

/* This method shouldn't raise errors, since they'll overwrite
 * errors that the caller(s) are already dealing with */
960
static int
961
virSecuritySELinuxRestoreSecurityFileLabel(const char *path)
962
{
963 964 965 966
    struct stat buf;
    security_context_t fcon = NULL;
    int rc = -1;
    char *newpath = NULL;
967
    char ebuf[1024];
968

969 970
    VIR_INFO("Restoring SELinux context on '%s'", path);

971
    if (virFileResolveLink(path, &newpath) < 0) {
972 973
        VIR_WARN("cannot resolve symlink %s: %s", path,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
974
        goto err;
975
    }
976

977
    if (stat(newpath, &buf) != 0) {
978 979
        VIR_WARN("cannot stat %s: %s", newpath,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
980
        goto err;
981
    }
D
Daniel P. Berrange 已提交
982

E
Eric Blake 已提交
983
    if (getContext(newpath, buf.st_mode, &fcon) < 0) {
984 985 986
        /* Any user created path likely does not have a default label,
         * which makes this an expected non error
         */
987
        VIR_WARN("cannot lookup default selinux label for %s", newpath);
988
        rc = 0;
989
    } else {
990
        rc = virSecuritySELinuxSetFilecon(newpath, fcon);
991
    }
992

993
err:
994
    freecon(fcon);
995 996
    VIR_FREE(newpath);
    return rc;
997 998
}

999
static int
1000 1001 1002 1003
virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                               virDomainDefPtr def,
                                               virDomainDiskDefPtr disk,
                                               int migrated)
1004
{
1005 1006 1007 1008 1009 1010
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr disk_seclabel;

    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
        return -1;
1011

1012 1013 1014
    disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
                                                        SECURITY_SELINUX_NAME);
    if (seclabel->norelabel || (disk_seclabel && disk_seclabel->norelabel))
1015 1016
        return 0;

1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027
    /* Don't restore labels on readoly/shared disks, because
     * other VMs may still be accessing these
     * Alternatively we could iterate over all running
     * domains and try to figure out if it is in use, but
     * this would not work for clustered filesystems, since
     * we can't see running VMs using the file on other nodes
     * Safest bet is thus to skip the restore step.
     */
    if (disk->readonly || disk->shared)
        return 0;

1028
    if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
1029 1030
        return 0;

1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046
    /* If we have a shared FS & doing migrated, we must not
     * change ownership, because that kills access on the
     * destination host which is sub-optimal for the guest
     * VM's I/O attempts :-)
     */
    if (migrated) {
        int rc = virStorageFileIsSharedFS(disk->src);
        if (rc < 0)
            return -1;
        if (rc == 1) {
            VIR_DEBUG("Skipping image label restore on %s because FS is shared",
                      disk->src);
            return 0;
        }
    }

1047
    return virSecuritySELinuxRestoreSecurityFileLabel(disk->src);
1048 1049
}

1050 1051

static int
1052 1053 1054
virSecuritySELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
                                            virDomainDefPtr def,
                                            virDomainDiskDefPtr disk)
1055
{
1056
    return virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0);
1057 1058 1059
}


1060
static int
1061 1062 1063 1064
virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
                                       const char *path,
                                       size_t depth,
                                       void *opaque)
1065
{
1066 1067
    int ret;
    virSecurityDeviceLabelDefPtr disk_seclabel;
1068 1069 1070
    virSecuritySELinuxCallbackDataPtr cbdata = opaque;
    const virSecurityLabelDefPtr secdef = cbdata->secdef;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(cbdata->manager);
1071

1072 1073 1074 1075
    disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
                                                        SECURITY_SELINUX_NAME);

    if (disk_seclabel && disk_seclabel->norelabel)
1076 1077
        return 0;

1078 1079 1080
    if (disk_seclabel && !disk_seclabel->norelabel &&
        disk_seclabel->label) {
        ret = virSecuritySELinuxSetFilecon(path, disk_seclabel->label);
1081
    } else if (depth == 0) {
1082

1083
        if (disk->shared) {
1084
            ret = virSecuritySELinuxSetFileconOptional(path, data->file_context);
1085
        } else if (disk->readonly) {
1086
            ret = virSecuritySELinuxSetFileconOptional(path, data->content_context);
1087
        } else if (secdef->imagelabel) {
1088
            ret = virSecuritySELinuxSetFileconOptional(path, secdef->imagelabel);
1089
        } else {
1090
            ret = 0;
1091 1092
        }
    } else {
1093
        ret = virSecuritySELinuxSetFileconOptional(path, data->content_context);
1094
    }
1095
    if (ret == 1 && !disk_seclabel) {
1096 1097
        /* If we failed to set a label, but virt_use_nfs let us
         * proceed anyway, then we don't need to relabel later.  */
1098 1099 1100
        disk_seclabel =
            virDomainDiskDefAddSecurityLabelDef(disk, SECURITY_SELINUX_NAME);
        if (!disk_seclabel)
1101
            return -1;
1102
        disk_seclabel->norelabel = true;
1103
        ret = 0;
1104
    }
1105
    return ret;
1106 1107
}

1108
static int
1109 1110 1111
virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
                                        virDomainDefPtr def,
                                        virDomainDiskDefPtr disk)
1112 1113

{
1114 1115
    virSecuritySELinuxCallbackData cbdata;
    cbdata.manager = mgr;
1116
    cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
1117

1118 1119
    if (cbdata.secdef == NULL)
        return -1;
1120

1121
    if (cbdata.secdef->norelabel)
1122 1123
        return 0;

1124 1125 1126
    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
        return 0;

1127
    return virDomainDiskDefForeachPath(disk,
1128
                                       true,
1129
                                       virSecuritySELinuxSetSecurityFileLabel,
1130
                                       &cbdata);
1131 1132
}

1133 1134

static int
1135 1136
virSecuritySELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
                                      const char *file, void *opaque)
1137
{
1138
    virSecurityLabelDefPtr secdef;
1139
    virDomainDefPtr def = opaque;
1140

1141 1142 1143
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1144
    return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
1145 1146 1147
}

static int
1148 1149
virSecuritySELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
                                      const char *file, void *opaque)
1150
{
1151
    virSecurityLabelDefPtr secdef;
1152
    virDomainDefPtr def = opaque;
1153 1154 1155 1156

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1157

1158
    return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
1159 1160
}

1161

1162
static int
1163 1164 1165
virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
                                                virDomainHostdevDefPtr dev,
                                                const char *vroot)
1166 1167 1168 1169 1170 1171

{
    int ret = -1;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
1172
        usbDevice *usb;
1173

1174 1175 1176 1177
        if (dev->missing)
            return 0;

        usb = usbGetDevice(dev->source.subsys.u.usb.bus,
1178 1179
                           dev->source.subsys.u.usb.device,
                           vroot);
1180 1181
        if (!usb)
            goto done;
1182

1183
        ret = usbDeviceFileIterate(usb, virSecuritySELinuxSetSecurityUSBLabel, def);
1184
        usbFreeDevice(usb);
M
Mark McLoughlin 已提交
1185
        break;
1186 1187 1188
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
1189
        pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
1190 1191 1192 1193 1194 1195 1196
                                      dev->source.subsys.u.pci.bus,
                                      dev->source.subsys.u.pci.slot,
                                      dev->source.subsys.u.pci.function);

        if (!pci)
            goto done;

1197
        ret = pciDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
1198
        pciFreeDevice(pci);
1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}

1212

1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271
static int
virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
                                              virDomainHostdevDefPtr dev,
                                              const char *vroot)
{
    int ret = -1;
    virSecurityLabelDefPtr secdef;
    char *path;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    switch (dev->source.caps.type) {
    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
                            dev->source.caps.u.storage.block) < 0) {
                virReportOOMError();
                return -1;
            }
        } else {
            if (!(path = strdup(dev->source.caps.u.storage.block))) {
                virReportOOMError();
                return -1;
            }
        }
        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
        VIR_FREE(path);
        break;
    }

    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
                            dev->source.caps.u.misc.chardev) < 0) {
                virReportOOMError();
                return -1;
            }
        } else {
            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
                virReportOOMError();
                return -1;
            }
        }
        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
        VIR_FREE(path);
        break;
    }

    default:
        ret = 0;
        break;
    }

    return ret;
}


1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291
static int
virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                          virDomainDefPtr def,
                                          virDomainHostdevDefPtr dev,
                                          const char *vroot)

{
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    if (secdef->norelabel)
        return 0;

    switch (dev->mode) {
    case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
        return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);

1292 1293 1294
    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
        return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);

1295 1296 1297 1298 1299 1300
    default:
        return 0;
    }
}


1301
static int
1302 1303 1304
virSecuritySELinuxRestoreSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
                                          const char *file,
                                          void *opaque ATTRIBUTE_UNUSED)
1305
{
1306
    return virSecuritySELinuxRestoreSecurityFileLabel(file);
1307 1308 1309
}

static int
1310 1311 1312
virSecuritySELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
                                          const char *file,
                                          void *opaque ATTRIBUTE_UNUSED)
1313
{
1314
    return virSecuritySELinuxRestoreSecurityFileLabel(file);
1315 1316
}

1317

1318
static int
1319 1320
virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virDomainHostdevDefPtr dev,
                                                    const char *vroot)
1321 1322 1323 1324 1325 1326

{
    int ret = -1;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
1327 1328 1329 1330
        usbDevice *usb;

        if (dev->missing)
            return 0;
1331

1332
        usb = usbGetDevice(dev->source.subsys.u.usb.bus,
1333 1334
                           dev->source.subsys.u.usb.device,
                           vroot);
1335 1336 1337
        if (!usb)
            goto done;

1338
        ret = usbDeviceFileIterate(usb, virSecuritySELinuxRestoreSecurityUSBLabel, NULL);
1339
        usbFreeDevice(usb);
1340 1341 1342 1343 1344

        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
1345
        pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
1346 1347 1348 1349 1350 1351 1352
                                      dev->source.subsys.u.pci.bus,
                                      dev->source.subsys.u.pci.slot,
                                      dev->source.subsys.u.pci.function);

        if (!pci)
            goto done;

1353
        ret = pciDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, NULL);
1354
        pciFreeDevice(pci);
1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}

1368

1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421
static int
virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
                                                  const char *vroot)
{
    int ret = -1;
    char *path;

    switch (dev->source.caps.type) {
    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
                            dev->source.caps.u.storage.block) < 0) {
                virReportOOMError();
                return -1;
            }
        } else {
            if (!(path = strdup(dev->source.caps.u.storage.block))) {
                virReportOOMError();
                return -1;
            }
        }
        ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
        VIR_FREE(path);
        break;
    }

    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
        if (vroot) {
            if (virAsprintf(&path, "%s/%s", vroot,
                            dev->source.caps.u.misc.chardev) < 0) {
                virReportOOMError();
                return -1;
            }
        } else {
            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
                virReportOOMError();
                return -1;
            }
        }
        ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
        VIR_FREE(path);
        break;
    }

    default:
        ret = 0;
        break;
    }

    return ret;
}


1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441
static int
virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                              virDomainDefPtr def,
                                              virDomainHostdevDefPtr dev,
                                              const char *vroot)

{
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    if (secdef->norelabel)
        return 0;

    switch (dev->mode) {
    case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
        return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot);

1442 1443 1444
    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
        return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(dev, vroot);

1445 1446 1447 1448 1449 1450
    default:
        return 0;
    }
}


1451
static int
1452
virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
1453 1454
                                          virDomainChrDefPtr dev,
                                          virDomainChrSourceDefPtr dev_source)
1455 1456

{
1457 1458 1459
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
    char *imagelabel = NULL;
1460 1461 1462
    char *in = NULL, *out = NULL;
    int ret = -1;

1463 1464
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
1465 1466
        return -1;

1467 1468 1469 1470 1471
    if (dev)
        chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                          SECURITY_SELINUX_NAME);

    if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
1472 1473
        return 0;

1474 1475 1476 1477 1478 1479
    if (chr_seclabel)
        imagelabel = chr_seclabel->label;
    if (!imagelabel)
        imagelabel = seclabel->imagelabel;

    switch (dev_source->type) {
1480 1481
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492
        ret = virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                           imagelabel);
        break;

    case VIR_DOMAIN_CHR_TYPE_UNIX:
        if (!dev_source->data.nix.listen) {
            if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                             imagelabel) < 0)
                goto done;
        }
        ret = 0;
1493 1494 1495
        break;

    case VIR_DOMAIN_CHR_TYPE_PIPE:
1496 1497
        if ((virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0) ||
            (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0)) {
1498 1499 1500 1501
            virReportOOMError();
            goto done;
        }
        if (virFileExists(in) && virFileExists(out)) {
1502 1503
            if ((virSecuritySELinuxSetFilecon(in, imagelabel) < 0) ||
                (virSecuritySELinuxSetFilecon(out, imagelabel) < 0)) {
1504
                goto done;
1505
            }
1506 1507
        } else if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
                                                imagelabel) < 0) {
1508
            goto done;
1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524
        }
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}

static int
1525
virSecuritySELinuxRestoreSecurityChardevLabel(virDomainDefPtr def,
1526 1527
                                              virDomainChrDefPtr dev,
                                              virDomainChrSourceDefPtr dev_source)
1528 1529

{
1530 1531
    virSecurityLabelDefPtr seclabel;
    virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
1532 1533 1534
    char *in = NULL, *out = NULL;
    int ret = -1;

1535 1536
    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (seclabel == NULL)
1537 1538
        return -1;

1539 1540 1541 1542
    if (dev)
        chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                          SECURITY_SELINUX_NAME);
    if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
1543 1544
        return 0;

1545
    switch (dev_source->type) {
1546 1547
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
1548
        if (virSecuritySELinuxRestoreSecurityFileLabel(dev_source->data.file.path) < 0)
1549 1550
            goto done;
        ret = 0;
1551
        break;
1552 1553 1554 1555 1556 1557 1558 1559 1560

    case VIR_DOMAIN_CHR_TYPE_UNIX:
        if (!dev_source->data.nix.listen) {
            if (virSecuritySELinuxRestoreSecurityFileLabel(dev_source->data.file.path) < 0)
                goto done;
        }
        ret = 0;
        break;

1561
    case VIR_DOMAIN_CHR_TYPE_PIPE:
1562 1563
        if ((virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0) ||
            (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0)) {
1564 1565 1566
            virReportOOMError();
            goto done;
        }
1567
        if (virFileExists(in) && virFileExists(out)) {
1568 1569
            if ((virSecuritySELinuxRestoreSecurityFileLabel(out) < 0) ||
                (virSecuritySELinuxRestoreSecurityFileLabel(in) < 0)) {
1570 1571
                goto done;
            }
1572
        } else if (virSecuritySELinuxRestoreSecurityFileLabel(dev_source->data.file.path) < 0) {
1573
            goto done;
1574
        }
1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}


static int
1591 1592 1593
virSecuritySELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
                                                 virDomainChrDefPtr dev,
                                                 void *opaque ATTRIBUTE_UNUSED)
1594
{
1595 1596 1597 1598 1599
    /* This is taken care of by processing of def->serials */
    if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
        dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
        return 0;

1600 1601
    return virSecuritySELinuxRestoreSecurityChardevLabel(def, dev,
                                                         &dev->source);
1602 1603 1604
}


E
Eric Blake 已提交
1605
static int
1606 1607 1608
virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
                                                   virDomainSmartcardDefPtr dev,
                                                   void *opaque ATTRIBUTE_UNUSED)
E
Eric Blake 已提交
1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619
{
    const char *database;

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
1620
        return virSecuritySELinuxRestoreSecurityFileLabel(database);
E
Eric Blake 已提交
1621 1622

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
1623
        return virSecuritySELinuxRestoreSecurityChardevLabel(def, NULL, &dev->data.passthru);
E
Eric Blake 已提交
1624 1625

    default:
1626 1627 1628
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unknown smartcard type %d"),
                       dev->type);
E
Eric Blake 已提交
1629 1630 1631 1632 1633 1634 1635
        return -1;
    }

    return 0;
}


1636
static int
1637
virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
1638 1639
                                          virDomainDefPtr def,
                                          int migrated ATTRIBUTE_UNUSED)
1640
{
1641
    virSecurityLabelDefPtr secdef;
1642
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
1643 1644
    int i;
    int rc = 0;
1645

1646
    VIR_DEBUG("Restoring security label on %s", def->name);
1647

1648 1649 1650 1651
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

1652
    if (secdef->norelabel || data->skipAllLabel)
1653 1654
        return 0;

1655
    for (i = 0 ; i < def->nhostdevs ; i++) {
1656 1657
        if (virSecuritySELinuxRestoreSecurityHostdevLabel(mgr,
                                                          def,
1658 1659
                                                          def->hostdevs[i],
                                                          NULL) < 0)
1660
            rc = -1;
1661
    }
1662
    for (i = 0 ; i < def->ndisks ; i++) {
1663 1664 1665 1666
        if (virSecuritySELinuxRestoreSecurityImageLabelInt(mgr,
                                                           def,
                                                           def->disks[i],
                                                           migrated) < 0)
1667 1668
            rc = -1;
    }
1669

1670
    if (virDomainChrDefForeach(def,
1671
                               false,
1672
                               virSecuritySELinuxRestoreSecurityChardevCallback,
1673
                               NULL) < 0)
1674 1675
        rc = -1;

1676
    if (virDomainSmartcardDefForeach(def,
E
Eric Blake 已提交
1677
                                     false,
1678
                                     virSecuritySELinuxRestoreSecuritySmartcardCallback,
1679
                                     NULL) < 0)
E
Eric Blake 已提交
1680 1681
        rc = -1;

1682
    if (def->os.kernel &&
1683
        virSecuritySELinuxRestoreSecurityFileLabel(def->os.kernel) < 0)
1684 1685
        rc = -1;

1686
    if (def->os.initrd &&
1687
        virSecuritySELinuxRestoreSecurityFileLabel(def->os.initrd) < 0)
1688 1689
        rc = -1;

1690 1691 1692 1693
    return rc;
}

static int
1694
virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
1695
                                       virDomainDefPtr def)
1696
{
1697 1698 1699 1700 1701
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1702

1703 1704 1705 1706
    if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
        if (secdef->label != NULL) {
            context_t con = context_new(secdef->label);
            if (con) {
1707
                virSecuritySELinuxMCSRemove(mgr, context_range_get(con));
1708 1709 1710 1711 1712 1713
                context_free(con);
            }
        }
        VIR_FREE(secdef->label);
        if (!secdef->baselabel)
            VIR_FREE(secdef->model);
1714 1715 1716
    }
    VIR_FREE(secdef->imagelabel);

1717
    return 0;
1718 1719
}

1720 1721

static int
1722 1723 1724
virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                     virDomainDefPtr def,
                                     const char *savefile)
1725
{
1726 1727 1728 1729 1730
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1731

1732
    if (secdef->norelabel)
1733 1734
        return 0;

1735
    return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
1736 1737 1738 1739
}


static int
1740 1741 1742
virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                         virDomainDefPtr def,
                                         const char *savefile)
1743
{
1744 1745 1746 1747 1748
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1749

1750
    if (secdef->norelabel)
1751 1752
        return 0;

1753
    return virSecuritySELinuxRestoreSecurityFileLabel(savefile);
1754 1755 1756
}


1757
static int
1758 1759
virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                 virDomainDefPtr def)
1760
{
1761 1762 1763 1764 1765 1766
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

1767
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1768 1769 1770 1771 1772
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
                       secdef->model, virSecurityManagerGetModel(mgr));
1773 1774 1775
        return -1;
    }

1776 1777
    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
        if (security_check_context(secdef->label) != 0) {
1778 1779
            virReportError(VIR_ERR_XML_ERROR,
                           _("Invalid security label %s"), secdef->label);
1780 1781 1782 1783 1784 1785
            return -1;
        }
    }
    return 0;
}

1786
static int
1787 1788
virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
                                          virDomainDefPtr def)
1789 1790
{
    /* TODO: verify DOI */
1791 1792 1793 1794 1795
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1796

1797
    if (secdef->label == NULL)
1798 1799
        return 0;

1800
    VIR_DEBUG("label=%s", secdef->label);
1801
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1802 1803 1804 1805 1806
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
                       secdef->model, virSecurityManagerGetModel(mgr));
1807
        if (security_getenforce() == 1)
1808
            return -1;
1809 1810
    }

M
Martin Kletzander 已提交
1811
    if (setexeccon_raw(secdef->label) == -1) {
1812
        virReportSystemError(errno,
1813 1814
                             _("unable to set security context '%s'"),
                             secdef->label);
1815
        if (security_getenforce() == 1)
1816
            return -1;
1817 1818
    }

1819 1820 1821
    return 0;
}

1822
static int
1823 1824
virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
                                               virDomainDefPtr def)
1825 1826
{
    /* TODO: verify DOI */
1827
    virSecurityLabelDefPtr secdef;
1828
    security_context_t scon = NULL;
1829
    char *str = NULL;
1830 1831
    int rc = -1;

1832 1833 1834 1835 1836
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

    if (secdef->label == NULL)
1837 1838
        return 0;

1839
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1840 1841 1842 1843 1844
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
                       secdef->model, virSecurityManagerGetModel(mgr));
1845 1846 1847
        goto done;
    }

M
Martin Kletzander 已提交
1848
    if (getcon_raw(&scon) == -1) {
1849 1850 1851 1852 1853 1854
        virReportSystemError(errno,
                             _("unable to get current process context '%s'"),
                             secdef->label);
        goto done;
    }

1855
    if (!(str = virSecuritySELinuxContextAddRange(secdef->label, scon)))
1856 1857
        goto done;

1858 1859
    VIR_DEBUG("Setting VM %s socket context %s", def->name, str);
    if (setsockcreatecon_raw(str) == -1) {
1860
        virReportSystemError(errno,
1861
                             _("unable to set socket security context '%s'"), str);
1862 1863 1864 1865 1866 1867 1868 1869 1870
        goto done;
    }

    rc = 0;
done:

    if (security_getenforce() != 1)
        rc = 0;
    freecon(scon);
1871
    VIR_FREE(str);
1872 1873 1874
    return rc;
}

1875
static int
1876 1877
virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
                                         virDomainDefPtr vm)
1878
{
1879
    virSecurityLabelDefPtr secdef;
1880 1881
    int rc = -1;

1882 1883 1884 1885
    secdef = virDomainDefGetSecurityLabelDef(vm, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;

1886 1887 1888 1889
    if (secdef->label == NULL)
        return 0;

    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1890 1891 1892 1893 1894
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
                       secdef->model, virSecurityManagerGetModel(mgr));
1895 1896 1897 1898
        goto done;
    }

    VIR_DEBUG("Setting VM %s socket context %s",
1899
              vm->name, secdef->label);
M
Martin Kletzander 已提交
1900
    if (setsockcreatecon_raw(secdef->label) == -1) {
1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             secdef->label);
        goto done;
    }

    rc = 0;

done:
    if (security_getenforce() != 1)
        rc = 0;

    return rc;
}

1916
static int
1917 1918
virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
                                           virDomainDefPtr def)
1919 1920
{
    /* TODO: verify DOI */
1921 1922 1923 1924 1925
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
1926

1927
    if (secdef->label == NULL)
1928 1929
        return 0;

1930
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1931 1932 1933 1934 1935
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("security label driver mismatch: "
                         "'%s' model configured for domain, but "
                         "hypervisor driver is '%s'."),
                       secdef->model, virSecurityManagerGetModel(mgr));
1936 1937 1938 1939
        if (security_getenforce() == 1)
            return -1;
    }

M
Martin Kletzander 已提交
1940
    if (setsockcreatecon_raw(NULL) == -1) {
1941 1942 1943 1944 1945 1946 1947 1948 1949
        virReportSystemError(errno,
                             _("unable to clear socket security context '%s'"),
                             secdef->label);
        if (security_getenforce() == 1)
            return -1;
    }
    return 0;
}

1950 1951

static int
1952 1953 1954
virSecuritySELinuxSetSecurityChardevCallback(virDomainDefPtr def,
                                             virDomainChrDefPtr dev,
                                             void *opaque ATTRIBUTE_UNUSED)
1955
{
1956 1957 1958 1959 1960
    /* This is taken care of by processing of def->serials */
    if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
        dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
        return 0;

1961
    return virSecuritySELinuxSetSecurityChardevLabel(def, dev, &dev->source);
1962 1963 1964
}


E
Eric Blake 已提交
1965
static int
1966 1967 1968
virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
                                               virDomainSmartcardDefPtr dev,
                                               void *opaque)
E
Eric Blake 已提交
1969 1970
{
    const char *database;
1971 1972
    virSecurityManagerPtr mgr = opaque;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
E
Eric Blake 已提交
1973 1974 1975 1976 1977 1978 1979 1980 1981

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
1982
        return virSecuritySELinuxSetFilecon(database, data->content_context);
E
Eric Blake 已提交
1983 1984

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
1985
        return virSecuritySELinuxSetSecurityChardevLabel(def, NULL, &dev->data.passthru);
E
Eric Blake 已提交
1986 1987

    default:
1988 1989 1990
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("unknown smartcard type %d"),
                       dev->type);
E
Eric Blake 已提交
1991 1992 1993 1994 1995 1996 1997
        return -1;
    }

    return 0;
}


1998
static int
1999 2000 2001
virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                                      virDomainDefPtr def,
                                      const char *stdin_path)
2002 2003
{
    int i;
2004 2005 2006 2007 2008 2009
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
2010

2011
    if (secdef->norelabel || data->skipAllLabel)
2012 2013
        return 0;

2014
    for (i = 0 ; i < def->ndisks ; i++) {
2015
        /* XXX fixme - we need to recursively label the entire tree :-( */
2016
        if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
2017
            VIR_WARN("Unable to relabel directory tree %s for disk %s",
2018
                     def->disks[i]->src, def->disks[i]->dst);
2019
            continue;
2020
        }
2021
        if (virSecuritySELinuxSetSecurityImageLabel(mgr,
2022
                                         def, def->disks[i]) < 0)
2023 2024
            return -1;
    }
2025
    /* XXX fixme process  def->fss if relabel == true */
2026

2027
    for (i = 0 ; i < def->nhostdevs ; i++) {
2028
        if (virSecuritySELinuxSetSecurityHostdevLabel(mgr,
2029 2030 2031
                                                      def,
                                                      def->hostdevs[i],
                                                      NULL) < 0)
2032
            return -1;
2033 2034
    }

2035
    if (virDomainChrDefForeach(def,
2036
                               true,
2037
                               virSecuritySELinuxSetSecurityChardevCallback,
2038
                               NULL) < 0)
2039 2040
        return -1;

2041
    if (virDomainSmartcardDefForeach(def,
E
Eric Blake 已提交
2042
                                     true,
2043
                                     virSecuritySELinuxSetSecuritySmartcardCallback,
2044
                                     mgr) < 0)
E
Eric Blake 已提交
2045 2046
        return -1;

2047
    if (def->os.kernel &&
2048
        virSecuritySELinuxSetFilecon(def->os.kernel, data->content_context) < 0)
2049 2050
        return -1;

2051
    if (def->os.initrd &&
2052
        virSecuritySELinuxSetFilecon(def->os.initrd, data->content_context) < 0)
2053 2054
        return -1;

2055
    if (stdin_path) {
2056
        if (virSecuritySELinuxSetFilecon(stdin_path, data->content_context) < 0 &&
2057 2058 2059 2060
            virStorageFileIsSharedFSType(stdin_path,
                                         VIR_STORAGE_FILE_SHFS_NFS) != 1)
            return -1;
    }
2061

2062 2063 2064
    return 0;
}

2065
static int
2066 2067 2068
virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                  virDomainDefPtr def,
                                  int fd)
2069
{
2070 2071 2072 2073 2074
    virSecurityLabelDefPtr secdef;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return -1;
2075 2076 2077 2078

    if (secdef->imagelabel == NULL)
        return 0;

2079
    return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
2080 2081
}

2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128
static int
virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                virDomainDefPtr def,
                                int fd)
{
    struct stat buf;
    security_context_t fcon = NULL;
    virSecurityLabelDefPtr secdef;
    char *str = NULL;
    int rc = -1;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        return rc;

    if (secdef->label == NULL)
        return 0;

    if (fstat(fd, &buf) < 0) {
        virReportSystemError(errno, _("cannot stat tap fd %d"), fd);
        goto cleanup;
    }

    if ((buf.st_mode & S_IFMT) != S_IFCHR) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("tap fd %d is not character device"), fd);
        goto cleanup;
    }

    if (getContext("/dev/tap.*", buf.st_mode, &fcon) < 0) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("cannot lookup default selinux label for tap fd %d"), fd);
        goto cleanup;
    }

    if (!(str = virSecuritySELinuxContextAddRange(secdef->label, fcon))) {
        goto cleanup;
    } else {
        rc = virSecuritySELinuxFSetFilecon(fd, str);
    }

cleanup:
    freecon(fcon);
    VIR_FREE(str);
    return rc;
}

2129 2130 2131 2132
static char *
virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
                                virDomainDefPtr def)
{
2133
    virSecurityLabelDefPtr secdef;
2134 2135 2136 2137 2138 2139
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    const char *range;
    context_t ctx = NULL;
    char *label = NULL;
    const char *mcs = NULL;

2140 2141 2142 2143
    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
    if (secdef == NULL)
        goto cleanup;

2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156
    if (secdef->label) {
        ctx = context_new(secdef->label);
        if (!ctx) {
            virReportOOMError();
            goto cleanup;
        }
        range = context_range_get(ctx);
        if (range) {
            mcs = strdup(range);
            if (!mcs) {
                virReportOOMError();
                goto cleanup;
            }
2157 2158
            if (!(label = virSecuritySELinuxGenNewContext(data->file_context,
                                                          mcs, true)))
2159 2160 2161 2162 2163 2164 2165 2166 2167 2168
                goto cleanup;
        }
    }

cleanup:
        context_free(ctx);
        VIR_FREE(mcs);
        return label;
}

2169 2170 2171 2172
static char *
virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
                                          virDomainDefPtr def)
{
2173
    char *opts = NULL;
2174 2175
    virSecurityLabelDefPtr secdef;

2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187
    if ((secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME))) {
        if (!secdef->imagelabel)
            secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr, def);

        if (secdef->imagelabel &&
            virAsprintf(&opts,
                        ",context=\"%s\"",
                        (const char*) secdef->imagelabel) < 0) {
            virReportOOMError();
            return NULL;
        }
    }
2188

2189 2190 2191 2192
    if (!opts &&
        !(opts = strdup(""))) {
        virReportOOMError();
        return NULL;
2193 2194
    }

2195 2196
    VIR_DEBUG("imageLabel=%s opts=%s",
              secdef ? secdef->imagelabel : "(null)", opts);
2197 2198 2199
    return opts;
}

2200
virSecurityDriver virSecurityDriverSELinux = {
2201 2202
    .privateDataLen                     = sizeof(virSecuritySELinuxData),
    .name                               = SECURITY_SELINUX_NAME,
2203 2204 2205
    .probe                              = virSecuritySELinuxSecurityDriverProbe,
    .open                               = virSecuritySELinuxSecurityDriverOpen,
    .close                              = virSecuritySELinuxSecurityDriverClose,
2206

2207 2208
    .getModel                           = virSecuritySELinuxSecurityGetModel,
    .getDOI                             = virSecuritySELinuxSecurityGetDOI,
2209

2210
    .domainSecurityVerify               = virSecuritySELinuxSecurityVerify,
2211

2212 2213
    .domainSetSecurityImageLabel        = virSecuritySELinuxSetSecurityImageLabel,
    .domainRestoreSecurityImageLabel    = virSecuritySELinuxRestoreSecurityImageLabel,
2214

2215 2216 2217
    .domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetSecurityDaemonSocketLabel,
    .domainSetSecuritySocketLabel       = virSecuritySELinuxSetSecuritySocketLabel,
    .domainClearSecuritySocketLabel     = virSecuritySELinuxClearSecuritySocketLabel,
2218

2219 2220 2221
    .domainGenSecurityLabel             = virSecuritySELinuxGenSecurityLabel,
    .domainReserveSecurityLabel         = virSecuritySELinuxReserveSecurityLabel,
    .domainReleaseSecurityLabel         = virSecuritySELinuxReleaseSecurityLabel,
2222

2223 2224
    .domainGetSecurityProcessLabel      = virSecuritySELinuxGetSecurityProcessLabel,
    .domainSetSecurityProcessLabel      = virSecuritySELinuxSetSecurityProcessLabel,
2225

2226 2227
    .domainSetSecurityAllLabel          = virSecuritySELinuxSetSecurityAllLabel,
    .domainRestoreSecurityAllLabel      = virSecuritySELinuxRestoreSecurityAllLabel,
2228

2229 2230
    .domainSetSecurityHostdevLabel      = virSecuritySELinuxSetSecurityHostdevLabel,
    .domainRestoreSecurityHostdevLabel  = virSecuritySELinuxRestoreSecurityHostdevLabel,
2231

2232 2233
    .domainSetSavedStateLabel           = virSecuritySELinuxSetSavedStateLabel,
    .domainRestoreSavedStateLabel       = virSecuritySELinuxRestoreSavedStateLabel,
2234

2235
    .domainSetSecurityImageFDLabel      = virSecuritySELinuxSetImageFDLabel,
2236
    .domainSetSecurityTapFDLabel        = virSecuritySELinuxSetTapFDLabel,
2237

2238
    .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
2239
};