security_selinux.c 39.1 KB
Newer Older
1
/*
2
 * Copyright (C) 2008-2011 Red Hat, Inc.
3 4 5 6 7 8 9 10
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * Authors:
 *     James Morris <jmorris@namei.org>
11
 *     Dan Walsh <dwalsh@redhat.com>
12 13 14 15 16 17 18 19 20
 *
 * SELinux security driver.
 */
#include <config.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
E
Eric Blake 已提交
21 22 23
#if HAVE_SELINUX_LABEL_H
# include <selinux/label.h>
#endif
24

25
#include "security_driver.h"
26 27 28 29
#include "security_selinux.h"
#include "virterror_internal.h"
#include "util.h"
#include "memory.h"
30
#include "logging.h"
31 32
#include "pci.h"
#include "hostusb.h"
33
#include "storage_file.h"
E
Eric Blake 已提交
34
#include "virfile.h"
D
Daniel P. Berrange 已提交
35 36 37

#define VIR_FROM_THIS VIR_FROM_SECURITY

38
static char default_domain_context[1024];
39
static char default_content_context[1024];
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
static char default_image_context[1024];
#define SECURITY_SELINUX_VOID_DOI       "0"
#define SECURITY_SELINUX_NAME "selinux"

/* TODO
   The data struct of used mcs should be replaced with a better data structure in the future
*/

struct MCS {
    char *mcs;
    struct MCS *next;
};
static struct MCS *mcsList = NULL;

static int
mcsAdd(const char *mcs)
{
    struct MCS *ptr;

    for (ptr = mcsList; ptr; ptr = ptr->next) {
D
Daniel P. Berrange 已提交
60
        if (STREQ(ptr->mcs, mcs))
61 62
            return -1;
    }
D
Daniel P. Berrange 已提交
63 64
    if (VIR_ALLOC(ptr) < 0)
        return -1;
65 66 67 68 69 70 71 72 73 74 75 76 77
    ptr->mcs = strdup(mcs);
    ptr->next = mcsList;
    mcsList = ptr;
    return 0;
}

static int
mcsRemove(const char *mcs)
{
    struct MCS *prevptr = NULL;
    struct MCS *ptr = NULL;

    for (ptr = mcsList; ptr; ptr = ptr->next) {
D
Daniel P. Berrange 已提交
78
        if (STREQ(ptr->mcs, mcs)) {
79 80 81 82 83
            if (prevptr)
                prevptr->next = ptr->next;
            else {
                mcsList = ptr->next;
            }
84 85
            VIR_FREE(ptr->mcs);
            VIR_FREE(ptr);
86 87 88 89 90 91 92 93 94 95 96 97
            return 0;
        }
        prevptr = ptr;
    }
    return -1;
}

static char *
SELinuxGenNewContext(const char *oldcontext, const char *mcs)
{
    char *newcontext = NULL;
    char *scontext = strdup(oldcontext);
98
    context_t con;
99
    if (!scontext) goto err;
100
    con = context_new(scontext);
101 102 103 104 105 106 107 108 109 110
    if (!con) goto err;
    context_range_set(con, mcs);
    newcontext = strdup(context_str(con));
    context_free(con);
err:
    freecon(scontext);
    return (newcontext);
}

static int
111
SELinuxInitialize(void)
112 113 114 115 116 117
{
    char *ptr = NULL;
    int fd = 0;

    fd = open(selinux_virtual_domain_context_path(), O_RDONLY);
    if (fd < 0) {
118
        virReportSystemError(errno,
119 120
                             _("cannot open SELinux virtual domain context file '%s'"),
                             selinux_virtual_domain_context_path());
121 122 123 124
        return -1;
    }

    if (saferead(fd, default_domain_context, sizeof(default_domain_context)) < 0) {
125
        virReportSystemError(errno,
126 127
                             _("cannot read SELinux virtual domain context file %s"),
                             selinux_virtual_domain_context_path());
128
        VIR_FORCE_CLOSE(fd);
129 130
        return -1;
    }
131
    VIR_FORCE_CLOSE(fd);
132 133 134 135 136

    ptr = strchrnul(default_domain_context, '\n');
    *ptr = '\0';

    if ((fd = open(selinux_virtual_image_context_path(), O_RDONLY)) < 0) {
137
        virReportSystemError(errno,
138 139
                             _("cannot open SELinux virtual image context file %s"),
                             selinux_virtual_image_context_path());
140 141 142 143
        return -1;
    }

    if (saferead(fd, default_image_context, sizeof(default_image_context)) < 0) {
144
        virReportSystemError(errno,
145 146
                             _("cannot read SELinux virtual image context file %s"),
                             selinux_virtual_image_context_path());
147
        VIR_FORCE_CLOSE(fd);
148 149
        return -1;
    }
150
    VIR_FORCE_CLOSE(fd);
151 152

    ptr = strchrnul(default_image_context, '\n');
153 154 155 156 157 158 159
    if (*ptr == '\n') {
        *ptr = '\0';
        strcpy(default_content_context, ptr+1);
        ptr = strchrnul(default_content_context, '\n');
        if (*ptr == '\n')
            *ptr = '\0';
    }
160 161 162 163
    return 0;
}

static int
164
SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
165
                        virDomainObjPtr vm)
166 167
{
    int rc = -1;
168
    char *mcs = NULL;
169 170 171
    char *scontext = NULL;
    int c1 = 0;
    int c2 = 0;
172
    context_t ctx = NULL;
173

174 175 176 177 178 179 180 181
    if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
        !vm->def->seclabel.baselabel &&
        vm->def->seclabel.model) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               "%s", _("security model already defined for VM"));
        return rc;
    }

182 183
    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
        vm->def->seclabel.label) {
184
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
185
                               "%s", _("security label already defined for VM"));
186
        return rc;
D
Daniel P. Berrange 已提交
187
    }
188

189 190 191 192 193 194
    if (vm->def->seclabel.imagelabel) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               "%s", _("security image label already defined for VM"));
        return rc;
    }

195 196 197 198 199 200 201 202
    if (vm->def->seclabel.model &&
        STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label model %s is not supported with selinux"),
                               vm->def->seclabel.model);
        return rc;
    }

203 204 205 206 207 208
    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
        if (!(ctx = context_new(vm->def->seclabel.label)) ) {
            virReportSystemError(errno,
                                 _("unable to allocate socket security context '%s'"),
                                 vm->def->seclabel.label);
            return rc;
209 210
        }

211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248
        const char *range = context_range_get(ctx);
        if (!range ||
            !(mcs = strdup(range))) {
            virReportOOMError();
            goto cleanup;
        }
    } else {
        do {
            c1 = virRandom(1024);
            c2 = virRandom(1024);

            if ( c1 == c2 ) {
                if (virAsprintf(&mcs, "s0:c%d", c1) < 0) {
                    virReportOOMError();
                    goto cleanup;
                }
            } else {
                if (c1 > c2) {
                    c1 ^= c2;
                    c2 ^= c1;
                    c1 ^= c2;
                }
                if (virAsprintf(&mcs, "s0:c%d,c%d", c1, c2) < 0) {
                    virReportOOMError();
                    goto cleanup;
                }
            }
        } while (mcsAdd(mcs) == -1);

        vm->def->seclabel.label =
            SELinuxGenNewContext(vm->def->seclabel.baselabel ?
                                 vm->def->seclabel.baselabel :
                                 default_domain_context, mcs);
        if (! vm->def->seclabel.label)  {
            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                   _("cannot generate selinux context for %s"), mcs);
            goto cleanup;
        }
D
Daniel P. Berrange 已提交
249
    }
250
    vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
251
    if (!vm->def->seclabel.imagelabel)  {
252
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
D
Daniel P. Berrange 已提交
253
                               _("cannot generate selinux context for %s"), mcs);
254
        goto cleanup;
D
Daniel P. Berrange 已提交
255
    }
256

257 258
    if (!vm->def->seclabel.model &&
        !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
259
        virReportOOMError();
260
        goto cleanup;
D
Daniel P. Berrange 已提交
261 262
    }

263
    rc = 0;
264 265 266 267 268 269 270 271 272 273 274 275 276

cleanup:
    if (rc != 0) {
        if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
            VIR_FREE(vm->def->seclabel.label);
        VIR_FREE(vm->def->seclabel.imagelabel);
        if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
            !vm->def->seclabel.baselabel)
            VIR_FREE(vm->def->seclabel.model);
    }

    if (ctx)
        context_free(ctx);
D
Daniel P. Berrange 已提交
277
    VIR_FREE(scontext);
278 279 280 281 282 283 284 285
    VIR_FREE(mcs);

    VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
              NULLSTR(vm->def->seclabel.model),
              NULLSTR(vm->def->seclabel.label),
              NULLSTR(vm->def->seclabel.imagelabel),
              NULLSTR(vm->def->seclabel.baselabel));

286 287 288
    return rc;
}

289
static int
290
SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
291
                            virDomainObjPtr vm)
292 293 294 295 296
{
    security_context_t pctx;
    context_t ctx = NULL;
    const char *mcs;

297 298 299
    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
        return 0;

300
    if (getpidcon(vm->pid, &pctx) == -1) {
301
        virReportSystemError(errno,
302
                             _("unable to get PID %d security context"), vm->pid);
303 304 305 306
        return -1;
    }

    ctx = context_new(pctx);
307
    freecon(pctx);
308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327
    if (!ctx)
        goto err;

    mcs = context_range_get(ctx);
    if (!mcs)
        goto err;

    mcsAdd(mcs);

    context_free(ctx);

    return 0;

err:
    context_free(ctx);
    return -1;
}



328 329 330 331 332 333 334
static int
SELinuxSecurityDriverProbe(void)
{
    return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
}

static int
335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352
SELinuxSecurityDriverOpen(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return SELinuxInitialize();
}

static int
SELinuxSecurityDriverClose(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return 0;
}


static const char *SELinuxSecurityGetModel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return SECURITY_SELINUX_NAME;
}

static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
353 354 355 356 357
{
    /*
     * Where will the DOI come from?  SELinux configuration, or qemu
     * configuration? For the moment, we'll just set it to "0".
     */
358
    return SECURITY_SELINUX_VOID_DOI;
359 360 361
}

static int
362
SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
363
                               virDomainObjPtr vm,
364
                               virSecurityLabelPtr sec)
365 366 367 368
{
    security_context_t ctx;

    if (getpidcon(vm->pid, &ctx) == -1) {
369
        virReportSystemError(errno,
370 371
                             _("unable to get PID %d security context"),
                             vm->pid);
372 373 374 375
        return -1;
    }

    if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
376
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
377
                               _("security label exceeds "
C
Cole Robinson 已提交
378
                                 "maximum length: %d"),
379
                               VIR_SECURITY_LABEL_BUFLEN - 1);
380
        freecon(ctx);
381 382 383 384
        return -1;
    }

    strcpy(sec->label, (char *) ctx);
385
    freecon(ctx);
386 387 388

    sec->enforcing = security_getenforce();
    if (sec->enforcing == -1) {
389
        virReportSystemError(errno, "%s",
390
                             _("error calling security_getenforce()"));
391 392 393 394 395 396 397
        return -1;
    }

    return 0;
}

static int
398
SELinuxSetFilecon(const char *path, char *tcon)
399
{
400
    security_context_t econ;
401

402 403
    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);

404
    if (setfilecon(path, tcon) < 0) {
405 406
        int setfilecon_errno = errno;

407 408 409 410 411 412 413 414
        if (getfilecon(path, &econ) >= 0) {
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
                return 0;
            }
            freecon(econ);
        }
415 416

        /* if the error complaint is related to an image hosted on
417 418
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
419
         * The user hopefully set one of the necessary SELinux
420
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
421
         */
422
        if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP) {
423
            virReportSystemError(setfilecon_errno,
424
                                 _("unable to set security context '%s' on '%s'"),
425
                                 tcon, path);
426 427
            if (security_getenforce() == 1)
                return -1;
428
        } else {
429 430 431 432 433 434 435 436 437 438 439 440 441 442
            const char *msg;
            if ((virStorageFileIsSharedFSType(path,
                                              VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
                security_get_boolean_active("virt_use_nfs") != 1) {
                msg = _("Setting security context '%s' on '%s' not supported. "
                        "Consider setting virt_use_nfs");
               if (security_getenforce() == 1)
                   VIR_WARN(msg, tcon, path);
               else
                   VIR_INFO(msg, tcon, path);
            } else {
                VIR_INFO("Setting security context '%s' on '%s' not supported",
                         tcon, path);
            }
443
        }
444 445 446 447
    }
    return 0;
}

448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486
static int
SELinuxFSetFilecon(int fd, char *tcon)
{
    security_context_t econ;

    VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);

    if (fsetfilecon(fd, tcon) < 0) {
        int fsetfilecon_errno = errno;

        if (fgetfilecon(fd, &econ) >= 0) {
            if (STREQ(tcon, econ)) {
                freecon(econ);
                /* It's alright, there's nothing to change anyway. */
                return 0;
            }
            freecon(econ);
        }

        /* if the error complaint is related to an image hosted on
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.
         * The user hopefully set one of the necessary SELinux
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
         */
        if (fsetfilecon_errno != EOPNOTSUPP) {
            virReportSystemError(fsetfilecon_errno,
                                 _("unable to set security context '%s' on fd %d"),
                                 tcon, fd);
            if (security_getenforce() == 1)
                return -1;
        } else {
            VIR_INFO("Setting security context '%s' on fd %d not supported",
                     tcon, fd);
        }
    }
    return 0;
}

E
Eric Blake 已提交
487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505
/* Set fcon to the appropriate label for path and mode, or return -1.  */
static int
getContext(const char *newpath, mode_t mode, security_context_t *fcon)
{
#if HAVE_SELINUX_LABEL_H
    struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
    int ret;

    if (handle == NULL)
        return -1;

    ret = selabel_lookup(handle, fcon, newpath, mode);
    selabel_close(handle);
    return ret;
#else
    return matchpathcon(newpath, mode, fcon);
#endif
}

506 507 508

/* This method shouldn't raise errors, since they'll overwrite
 * errors that the caller(s) are already dealing with */
509
static int
510
SELinuxRestoreSecurityFileLabel(const char *path)
511
{
512 513 514 515
    struct stat buf;
    security_context_t fcon = NULL;
    int rc = -1;
    char *newpath = NULL;
516
    char ebuf[1024];
517

518 519
    VIR_INFO("Restoring SELinux context on '%s'", path);

520
    if (virFileResolveLink(path, &newpath) < 0) {
521 522
        VIR_WARN("cannot resolve symlink %s: %s", path,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
523
        goto err;
524
    }
525

526
    if (stat(newpath, &buf) != 0) {
527 528
        VIR_WARN("cannot stat %s: %s", newpath,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
D
Daniel P. Berrange 已提交
529
        goto err;
530
    }
D
Daniel P. Berrange 已提交
531

E
Eric Blake 已提交
532
    if (getContext(newpath, buf.st_mode, &fcon) < 0) {
533
        VIR_WARN("cannot lookup default selinux label for %s", newpath);
534
    } else {
535
        rc = SELinuxSetFilecon(newpath, fcon);
536
    }
537

538
err:
539
    freecon(fcon);
540 541
    VIR_FREE(newpath);
    return rc;
542 543
}

544
static int
545
SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
546
                                    virDomainObjPtr vm,
547 548
                                    virDomainDiskDefPtr disk,
                                    int migrated)
549
{
550 551
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

552
    if (secdef->norelabel)
553 554
        return 0;

555 556 557 558 559 560 561 562 563 564 565
    /* Don't restore labels on readoly/shared disks, because
     * other VMs may still be accessing these
     * Alternatively we could iterate over all running
     * domains and try to figure out if it is in use, but
     * this would not work for clustered filesystems, since
     * we can't see running VMs using the file on other nodes
     * Safest bet is thus to skip the restore step.
     */
    if (disk->readonly || disk->shared)
        return 0;

566
    if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
567 568
        return 0;

569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584
    /* If we have a shared FS & doing migrated, we must not
     * change ownership, because that kills access on the
     * destination host which is sub-optimal for the guest
     * VM's I/O attempts :-)
     */
    if (migrated) {
        int rc = virStorageFileIsSharedFS(disk->src);
        if (rc < 0)
            return -1;
        if (rc == 1) {
            VIR_DEBUG("Skipping image label restore on %s because FS is shared",
                      disk->src);
            return 0;
        }
    }

585
    return SELinuxRestoreSecurityFileLabel(disk->src);
586 587
}

588 589

static int
590
SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
591
                                 virDomainObjPtr vm,
592 593
                                 virDomainDiskDefPtr disk)
{
594
    return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
595 596 597
}


598 599 600 601 602 603 604
static int
SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
                            const char *path,
                            size_t depth,
                            void *opaque)
{
    const virSecurityLabelDefPtr secdef = opaque;
605
    int ret;
606 607 608

    if (depth == 0) {
        if (disk->shared) {
609
            ret = SELinuxSetFilecon(path, default_image_context);
610
        } else if (disk->readonly) {
611
            ret = SELinuxSetFilecon(path, default_content_context);
612
        } else if (secdef->imagelabel) {
613
            ret = SELinuxSetFilecon(path, secdef->imagelabel);
614
        } else {
615
            ret = 0;
616 617
        }
    } else {
618
        ret = SELinuxSetFilecon(path, default_content_context);
619
    }
620 621 622 623 624
    if (ret < 0 &&
        virStorageFileIsSharedFSType(path,
                                     VIR_STORAGE_FILE_SHFS_NFS) == 1)
       ret = 0;
    return ret;
625 626
}

627
static int
628
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
629
                             virDomainObjPtr vm,
630
                             virDomainDiskDefPtr disk)
631 632 633

{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
634
    bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
635

636
    if (secdef->norelabel)
637 638
        return 0;

639
    return virDomainDiskDefForeachPath(disk,
640
                                       allowDiskFormatProbing,
641
                                       true,
642 643
                                       SELinuxSetSecurityFileLabel,
                                       secdef);
644 645
}

646 647

static int
648
SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
649 650 651 652 653
                           const char *file, void *opaque)
{
    virDomainObjPtr vm = opaque;
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

654
    return SELinuxSetFilecon(file, secdef->imagelabel);
655 656 657
}

static int
658
SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
659 660 661 662 663
                           const char *file, void *opaque)
{
    virDomainObjPtr vm = opaque;
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

664
    return SELinuxSetFilecon(file, secdef->imagelabel);
665 666 667
}

static int
668
SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
669
                               virDomainObjPtr vm,
670 671 672
                               virDomainHostdevDefPtr dev)

{
673
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
674 675
    int ret = -1;

676
    if (secdef->norelabel)
677 678
        return 0;

679 680 681 682 683
    if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
        return 0;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
684
        usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
685
                                      dev->source.subsys.u.usb.device);
686

687 688
        if (!usb)
            goto done;
689

690
        ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm);
691
        usbFreeDevice(usb);
M
Mark McLoughlin 已提交
692
        break;
693 694 695
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
696
        pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
697 698 699 700 701 702 703
                                      dev->source.subsys.u.pci.bus,
                                      dev->source.subsys.u.pci.slot,
                                      dev->source.subsys.u.pci.function);

        if (!pci)
            goto done;

704
        ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm);
705
        pciFreeDevice(pci);
706 707 708 709 710 711 712 713 714 715 716 717 718

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}

719

720
static int
721
SELinuxRestoreSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
722 723 724
                               const char *file,
                               void *opaque ATTRIBUTE_UNUSED)
{
725
    return SELinuxRestoreSecurityFileLabel(file);
726 727 728
}

static int
729
SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
730 731 732
                               const char *file,
                               void *opaque ATTRIBUTE_UNUSED)
{
733
    return SELinuxRestoreSecurityFileLabel(file);
734 735 736
}

static int
737
SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
738
                                   virDomainObjPtr vm,
739 740 741
                                   virDomainHostdevDefPtr dev)

{
742
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
743 744
    int ret = -1;

745
    if (secdef->norelabel)
746 747
        return 0;

748 749 750 751 752
    if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
        return 0;

    switch (dev->source.subsys.type) {
    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
753
        usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
754
                                      dev->source.subsys.u.usb.device);
755 756 757 758

        if (!usb)
            goto done;

759
        ret = usbDeviceFileIterate(usb, SELinuxRestoreSecurityUSBLabel, NULL);
760
        usbFreeDevice(usb);
761 762 763 764 765

        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
766
        pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
767 768 769 770 771 772 773
                                      dev->source.subsys.u.pci.bus,
                                      dev->source.subsys.u.pci.slot,
                                      dev->source.subsys.u.pci.function);

        if (!pci)
            goto done;

774
        ret = pciDeviceFileIterate(pci, SELinuxRestoreSecurityPCILabel, NULL);
775
        pciFreeDevice(pci);
776 777 778 779 780 781 782 783 784 785 786 787 788

        break;
    }

    default:
        ret = 0;
        break;
    }

done:
    return ret;
}

789 790 791

static int
SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
792
                               virDomainChrSourceDefPtr dev)
793 794 795 796 797 798

{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    char *in = NULL, *out = NULL;
    int ret = -1;

799
    if (secdef->norelabel)
800 801 802 803 804 805 806 807 808
        return 0;

    switch (dev->type) {
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
        ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
        break;

    case VIR_DOMAIN_CHR_TYPE_PIPE:
809 810 811 812 813 814 815 816 817 818 819 820
        if (virFileExists(dev->data.file.path)) {
            if (SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel) < 0)
                goto done;
        } else {
            if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
                (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
                virReportOOMError();
                goto done;
            }
            if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
                (SELinuxSetFilecon(out, secdef->imagelabel) < 0))
                goto done;
821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837
        }
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}

static int
SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
838
                                   virDomainChrSourceDefPtr dev)
839 840 841 842 843 844

{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    char *in = NULL, *out = NULL;
    int ret = -1;

845
    if (secdef->norelabel)
846 847 848 849 850
        return 0;

    switch (dev->type) {
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
851 852 853
        if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
            goto done;
        ret = 0;
854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885
        break;
    case VIR_DOMAIN_CHR_TYPE_PIPE:
        if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
            (virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
            virReportOOMError();
            goto done;
        }
        if ((SELinuxRestoreSecurityFileLabel(out) < 0) ||
            (SELinuxRestoreSecurityFileLabel(in) < 0))
            goto done;
        ret = 0;
        break;

    default:
        ret = 0;
        break;
    }

done:
    VIR_FREE(in);
    VIR_FREE(out);
    return ret;
}


static int
SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                      virDomainChrDefPtr dev,
                                      void *opaque)
{
    virDomainObjPtr vm = opaque;

886
    return SELinuxRestoreSecurityChardevLabel(vm, &dev->source);
887 888 889
}


E
Eric Blake 已提交
890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921
static int
SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                        virDomainSmartcardDefPtr dev,
                                        void *opaque)
{
    virDomainObjPtr vm = opaque;
    const char *database;

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
        return SELinuxRestoreSecurityFileLabel(database);

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
        return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);

    default:
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("unknown smartcard type %d"),
                               dev->type);
        return -1;
    }

    return 0;
}


922
static int
923
SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
924
                               virDomainObjPtr vm,
925
                               int migrated ATTRIBUTE_UNUSED)
926 927 928 929
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    int i;
    int rc = 0;
930 931 932

    VIR_DEBUG("Restoring security label on %s", vm->def->name);

933
    if (secdef->norelabel)
934 935 936
        return 0;

    for (i = 0 ; i < vm->def->nhostdevs ; i++) {
937
        if (SELinuxRestoreSecurityHostdevLabel(mgr,
938 939
                                               vm,
                                               vm->def->hostdevs[i]) < 0)
940
            rc = -1;
941
    }
942
    for (i = 0 ; i < vm->def->ndisks ; i++) {
943
        if (SELinuxRestoreSecurityImageLabelInt(mgr,
944
                                                vm,
945 946
                                                vm->def->disks[i],
                                                migrated) < 0)
947 948
            rc = -1;
    }
949

950 951 952 953 954 955
    if (virDomainChrDefForeach(vm->def,
                               false,
                               SELinuxRestoreSecurityChardevCallback,
                               vm) < 0)
        rc = -1;

E
Eric Blake 已提交
956 957 958 959 960 961
    if (virDomainSmartcardDefForeach(vm->def,
                                     false,
                                     SELinuxRestoreSecuritySmartcardCallback,
                                     vm) < 0)
        rc = -1;

962 963 964 965 966 967 968 969
    if (vm->def->os.kernel &&
        SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
        rc = -1;

    if (vm->def->os.initrd &&
        SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
        rc = -1;

970 971 972 973
    return rc;
}

static int
974
SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
975
                            virDomainObjPtr vm)
976 977 978
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

979 980 981 982 983 984 985 986 987 988 989
    if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
        if (secdef->label != NULL) {
            context_t con = context_new(secdef->label);
            if (con) {
                mcsRemove(context_range_get(con));
                context_free(con);
            }
        }
        VIR_FREE(secdef->label);
        if (!secdef->baselabel)
            VIR_FREE(secdef->model);
990 991 992
    }
    VIR_FREE(secdef->imagelabel);

993
    return 0;
994 995
}

996 997

static int
998
SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
999
                          virDomainObjPtr vm,
1000 1001 1002 1003
                          const char *savefile)
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

1004
    if (secdef->norelabel)
1005 1006
        return 0;

1007
    return SELinuxSetFilecon(savefile, secdef->imagelabel);
1008 1009 1010 1011
}


static int
1012
SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
1013
                              virDomainObjPtr vm,
1014 1015
                              const char *savefile)
{
1016 1017
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

1018
    if (secdef->norelabel)
1019 1020
        return 0;

1021
    return SELinuxRestoreSecurityFileLabel(savefile);
1022 1023 1024
}


1025
static int
1026 1027
SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                      virDomainDefPtr def)
1028 1029
{
    const virSecurityLabelDefPtr secdef = &def->seclabel;
1030 1031 1032 1033 1034 1035 1036 1037 1038
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
                               secdef->model, virSecurityManagerGetModel(mgr));
        return -1;
    }

1039 1040
    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
        if (security_check_context(secdef->label) != 0) {
1041
            virSecurityReportError(VIR_ERR_XML_ERROR,
1042 1043 1044 1045 1046 1047 1048
                                   _("Invalid security label %s"), secdef->label);
            return -1;
        }
    }
    return 0;
}

1049
static int
1050
SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
1051
                               virDomainObjPtr vm)
1052 1053 1054 1055
{
    /* TODO: verify DOI */
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

1056 1057 1058
    if (vm->def->seclabel.label == NULL)
        return 0;

1059
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1060
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
1061 1062 1063
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
1064
                               secdef->model, virSecurityManagerGetModel(mgr));
1065
        if (security_getenforce() == 1)
1066
            return -1;
1067 1068 1069
    }

    if (setexeccon(secdef->label) == -1) {
1070
        virReportSystemError(errno,
1071 1072
                             _("unable to set security context '%s'"),
                             secdef->label);
1073
        if (security_getenforce() == 1)
1074
            return -1;
1075 1076
    }

1077 1078 1079
    return 0;
}

1080
static int
1081 1082
SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
                                    virDomainObjPtr vm)
1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093
{
    /* TODO: verify DOI */
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    context_t execcon = NULL;
    context_t proccon = NULL;
    security_context_t scon = NULL;
    int rc = -1;

    if (vm->def->seclabel.label == NULL)
        return 0;

1094
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1095 1096 1097 1098
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
1099
                               secdef->model, virSecurityManagerGetModel(mgr));
1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150
        goto done;
    }

    if ( !(execcon = context_new(secdef->label)) ) {
        virReportSystemError(errno,
                             _("unable to allocate socket security context '%s'"),
                             secdef->label);
        goto done;
    }

    if (getcon(&scon) == -1) {
        virReportSystemError(errno,
                             _("unable to get current process context '%s'"),
                             secdef->label);
        goto done;
    }

    if ( !(proccon = context_new(scon)) ) {
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             secdef->label);
        goto done;
    }

    if (context_range_set(proccon, context_range_get(execcon)) == -1) {
        virReportSystemError(errno,
                             _("unable to set socket security context range '%s'"),
                             secdef->label);
        goto done;
    }

    VIR_DEBUG("Setting VM %s socket context %s",
              vm->def->name, context_str(proccon));
    if (setsockcreatecon(context_str(proccon)) == -1) {
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             context_str(proccon));
        goto done;
    }

    rc = 0;
done:

    if (security_getenforce() != 1)
        rc = 0;
    if (execcon) context_free(execcon);
    if (proccon) context_free(proccon);
    freecon(scon);
    return rc;
}

1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187
static int
SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
                              virDomainObjPtr vm)
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    int rc = -1;

    if (secdef->label == NULL)
        return 0;

    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
                               secdef->model, virSecurityManagerGetModel(mgr));
        goto done;
    }

    VIR_DEBUG("Setting VM %s socket context %s",
              vm->def->name, secdef->label);
    if (setsockcreatecon(secdef->label) == -1) {
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             secdef->label);
        goto done;
    }

    rc = 0;

done:
    if (security_getenforce() != 1)
        rc = 0;

    return rc;
}

1188
static int
1189
SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
1190 1191 1192 1193 1194 1195 1196 1197
                                virDomainObjPtr vm)
{
    /* TODO: verify DOI */
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

    if (vm->def->seclabel.label == NULL)
        return 0;

1198
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
1199 1200 1201 1202
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
1203
                               secdef->model, virSecurityManagerGetModel(mgr));
1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217
        if (security_getenforce() == 1)
            return -1;
    }

    if (setsockcreatecon(NULL) == -1) {
        virReportSystemError(errno,
                             _("unable to clear socket security context '%s'"),
                             secdef->label);
        if (security_getenforce() == 1)
            return -1;
    }
    return 0;
}

1218 1219 1220 1221 1222 1223 1224 1225

static int
SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                  virDomainChrDefPtr dev,
                                  void *opaque)
{
    virDomainObjPtr vm = opaque;

1226
    return SELinuxSetSecurityChardevLabel(vm, &dev->source);
1227 1228 1229
}


E
Eric Blake 已提交
1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261
static int
SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
                                    virDomainSmartcardDefPtr dev,
                                    void *opaque)
{
    virDomainObjPtr vm = opaque;
    const char *database;

    switch (dev->type) {
    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
        break;

    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
        database = dev->data.cert.database;
        if (!database)
            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
        return SELinuxSetFilecon(database, default_content_context);

    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
        return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);

    default:
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("unknown smartcard type %d"),
                               dev->type);
        return -1;
    }

    return 0;
}


1262
static int
1263
SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
1264 1265
                           virDomainObjPtr vm,
                           const char *stdin_path)
1266 1267 1268 1269
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    int i;

1270
    if (secdef->norelabel)
1271 1272 1273 1274 1275 1276 1277 1278
        return 0;

    for (i = 0 ; i < vm->def->ndisks ; i++) {
        /* XXX fixme - we need to recursively label the entire tree :-( */
        if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
            VIR_WARN("Unable to relabel directory tree %s for disk %s",
                     vm->def->disks[i]->src, vm->def->disks[i]->dst);
            continue;
1279
        }
1280
        if (SELinuxSetSecurityImageLabel(mgr,
1281
                                         vm, vm->def->disks[i]) < 0)
1282 1283
            return -1;
    }
1284 1285
    /* XXX fixme process  vm->def->fss if relabel == true */

1286
    for (i = 0 ; i < vm->def->nhostdevs ; i++) {
1287
        if (SELinuxSetSecurityHostdevLabel(mgr,
1288 1289
                                           vm,
                                           vm->def->hostdevs[i]) < 0)
1290
            return -1;
1291 1292
    }

1293 1294 1295 1296 1297 1298
    if (virDomainChrDefForeach(vm->def,
                               true,
                               SELinuxSetSecurityChardevCallback,
                               vm) < 0)
        return -1;

E
Eric Blake 已提交
1299 1300 1301 1302 1303 1304
    if (virDomainSmartcardDefForeach(vm->def,
                                     true,
                                     SELinuxSetSecuritySmartcardCallback,
                                     vm) < 0)
        return -1;

1305 1306 1307 1308 1309 1310 1311 1312
    if (vm->def->os.kernel &&
        SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
        return -1;

    if (vm->def->os.initrd &&
        SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
        return -1;

1313 1314 1315 1316 1317 1318
    if (stdin_path) {
        if (SELinuxSetFilecon(stdin_path, default_content_context) < 0 &&
            virStorageFileIsSharedFSType(stdin_path,
                                         VIR_STORAGE_FILE_SHFS_NFS) != 1)
            return -1;
    }
1319

1320 1321 1322
    return 0;
}

1323
static int
1324 1325 1326
SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                       virDomainObjPtr vm,
                       int fd)
1327 1328 1329 1330 1331 1332 1333 1334 1335
{
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;

    if (secdef->imagelabel == NULL)
        return 0;

    return SELinuxFSetFilecon(fd, secdef->imagelabel);
}

1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350
virSecurityDriver virSecurityDriverSELinux = {
    0,
    SECURITY_SELINUX_NAME,
    SELinuxSecurityDriverProbe,
    SELinuxSecurityDriverOpen,
    SELinuxSecurityDriverClose,

    SELinuxSecurityGetModel,
    SELinuxSecurityGetDOI,

    SELinuxSecurityVerify,

    SELinuxSetSecurityImageLabel,
    SELinuxRestoreSecurityImageLabel,

1351
    SELinuxSetSecurityDaemonSocketLabel,
1352
    SELinuxSetSecuritySocketLabel,
1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369
    SELinuxClearSecuritySocketLabel,

    SELinuxGenSecurityLabel,
    SELinuxReserveSecurityLabel,
    SELinuxReleaseSecurityLabel,

    SELinuxGetSecurityProcessLabel,
    SELinuxSetSecurityProcessLabel,

    SELinuxSetSecurityAllLabel,
    SELinuxRestoreSecurityAllLabel,

    SELinuxSetSecurityHostdevLabel,
    SELinuxRestoreSecurityHostdevLabel,

    SELinuxSetSavedStateLabel,
    SELinuxRestoreSavedStateLabel,
1370

1371
    SELinuxSetImageFDLabel,
1372
};