提交 1c57eea3 编写于 作者: P Pavel Hrdina

qemu: fix security labeling for attach/detach of char devices

Commit e93d844b was not enough to fix the permission denied
issue.  We need to apply security labels as well.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
上级 1b4f66ec
......@@ -1815,6 +1815,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
bool chardevAttached = false;
bool teardowncgroup = false;
bool teardowndevice = false;
bool teardownlabel = false;
char *tlsAlias = NULL;
char *secAlias = NULL;
bool need_release = false;
......@@ -1835,6 +1836,10 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
goto cleanup;
teardowndevice = true;
if (qemuSecuritySetChardevLabel(driver, vm, chr) < 0)
goto cleanup;
teardownlabel = true;
if (qemuSetupChardevCgroup(vm, chr) < 0)
goto cleanup;
teardowncgroup = true;
......@@ -1877,6 +1882,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
qemuDomainReleaseDeviceAddress(vm, &chr->info, NULL);
if (teardowncgroup && qemuTeardownChardevCgroup(vm, chr) < 0)
VIR_WARN("Unable to remove chr device cgroup ACL on hotplug fail");
if (teardownlabel && qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
VIR_WARN("Unable to restore security label on char device");
if (teardowndevice && qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
VIR_WARN("Unable to remove chr device from /dev");
}
......@@ -4154,6 +4161,9 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
if (qemuTeardownChardevCgroup(vm, chr) < 0)
VIR_WARN("Failed to remove chr device cgroup ACL");
if (qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
VIR_WARN("Unable to restore security label on char device");
if (qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
VIR_WARN("Unable to remove chr device from /dev");
......
......@@ -364,3 +364,63 @@ qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
int
qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr)
{
int ret = -1;
qemuDomainObjPrivatePtr priv = vm->privateData;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
if (virSecurityManagerSetChardevLabel(driver->securityManager,
vm->def,
chr->source,
priv->chardevStdioLogd) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
int
qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr)
{
int ret = -1;
qemuDomainObjPrivatePtr priv = vm->privateData;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
if (virSecurityManagerRestoreChardevLabel(driver->securityManager,
vm->def,
chr->source,
priv->chardevStdioLogd) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
......@@ -76,6 +76,14 @@ int qemuSecuritySetInputLabel(virDomainObjPtr vm,
int qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
virDomainInputDefPtr input);
int qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr);
int qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr);
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
* new APIs here. If an API can touch a /dev file add a proper wrapper instead.
*/
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册