security: dac: Relabel /dev/sev in the namespace

The default permissions (0600 root:root) are of no use to the qemu process so we need to change the owner to qemu iff running with namespaces. Signed-off-by: N Erik Skultety <eskultet@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com>

security: dac: Relabel /dev/sev in the namespace
The default permissions (0600 root:root) are of no use to the qemu process so we need to change the owner to qemu iff running with namespaces. Signed-off-by: N Erik Skultety <eskultet@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com>
17f6a257 · Erik Skultety · 6fd4c8f8 · 17f6a257
隐藏空白更改
内联并排

Showing with 51 addition and 0 deletion

src/security/security_dac.c src/security/security_dac.c +51 -0

未找到文件。
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -48,6 +48,7 @@
 VIR_LOG_INIT("security.security_dac");

 #define SECURITY_DAC_NAME "dac"
+#define DEV_SEV "/dev/sev"

 typedef struct _virSecurityDACData virSecurityDACData;
 typedef virSecurityDACData *virSecurityDACDataPtr;
@@ -1676,6 +1677,16 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
 }


+static int
+virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                              virDomainDefPtr def ATTRIBUTE_UNUSED)
+{
+    /* we only label /dev/sev when running with namespaces, so we don't need to
+     * restore anything */
+    return 0;
+}
+
+
 static int
 virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
                              virDomainDefPtr def,
@@ -1746,6 +1757,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
            rc = -1;
    }

+    if (def->sev) {
+        if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
+            rc = -1;
+    }
+
    if (def->os.loader && def->os.loader->nvram &&
        virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
        rc = -1;
@@ -1819,6 +1835,36 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
 }


+static int
+virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
+                          virDomainDefPtr def)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityLabelDefPtr seclabel;
+    uid_t user;
+    gid_t group;
+
+    /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly
+     * increase the chance of a DOS attack on SEV
+     */
+    if (!priv->mountNamespace)
+        return 0;
+
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+    if (seclabel && !seclabel->relabel)
+        return 0;
+
+    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+        return -1;
+
+    if (virSecurityDACSetOwnership(mgr, NULL, DEV_SEV,
+                                   user, group, false) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static int
 virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
                          virDomainDefPtr def,
@@ -1888,6 +1934,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
            return -1;
    }

+    if (def->sev) {
+        if (virSecurityDACSetSEVLabel(mgr, def) < 0)
+            return -1;
+    }
+
    if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
        return -1;